Timestamp issue with firewall logs

tkerr1357 · ‎11-06-2020

Hi all,

still learning Splunk here and we just started ingesting Fortigate firewall logs. After a recent FortiGate update the logs are coming in all with a timestamp of 5am. The logs are coming in via syslog to a HF. I have tried using

TIME_FORMAT = date=%Y-%m-%d time=%H:%M:%S
TIME_PREFIX = ^\s*<\d{3}>

which was suggested in another fortigate ticket without any luck. Any help is appreciated.

11/6/20
5:00:00.000 AM

<189>logver=602055878 timestamp=1604673601 tz="UTC-5:00" devname="RNHN-FW1800F" devid="FG181FTK20900192" vd="CORP" date=2020-11-06 time=09:40:01 logid="0001000014" type="traffic" subtype="local" level="notice" eventtime=1604673601539310045 tz="-0500" srcip=87.251.80.10 srcport=53887 srcintf="FairPoint_WAN_B" srcintfrole="wan" dstip=71.181.10.217 dstport=2256 dstintf="unknown0" dstintfrole="undefined" sessionid=45763314 proto=6 action="deny" policyid=0 policytype="local-in-policy" service="tcp/2256" dstcountry="United States" srccountry="Russian Federation" trandisp="noop" app="tcp/2256" duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0 appcat="unscanned" crscore=5 craction=262144 crlevel="low" mastersrcmac="02:00:40:05:26:15" srcmac="02:00:40:05:26:15" srcserver=1

richgalloway · ‎11-06-2020

The TIME_PREFIX value does not match the example data. Try these settings

TIME_FORMAT = %Y-%m-%d time=%H:%M:%S
TIME_PREFIX = date=

---
If this reply helps you, Karma would be appreciated.

Timestamp issue with firewall logs

props.conf

Introducing the Splunk Community Dashboard Challenge!

Wondering How to Build Resiliency in the Cloud?

Updated Data Management and AWS GDI Inventory in Splunk Observability