Hi
Running Fortigate 80c with v4.0 MR3. I've downloaded and installed the fortigate splunk app but i'm having trouble getting data into it. I can see data coming into splunk from the fortigate via manager>Apps>search. I seem to have 1 source called fortigate with data labelled in this as
host=machinename, sourcetype=fortigate,source=fortigate etc . This input increases so information is getting in but just doesn't seem to be indexed properly for the splunk fortigate app.
The inputs.conf is as follows:
[udp://514]
connection_host=int ip of fortigate
sourcetype=fortigate
no_appending_timestamp=true
I'm fairly new to splunk so i've probably got something not or misconfigured, can somebody help ?
Hello Splunkers,
I am facing the same issue. I have the fortinet logs indexed into the single instance of Splunk and can see the events in the search as index=fortinet_data_index, but the fortinet app is not showing the dashboard. sometime it says 'waiting for data...' and on other instance it is showing "fgt_logs" in the dashboard.
I am using 'Fortinet FortiGate Add-On for Splunk' and 'Fortinet FortiGate App for Splunk' on both the machines.
Please suggest me why the logs are not detected in the dashboards of fortinet app when they are visible in search with source=fortinet.
any lead in this direction will be appreciable.
Splunkers,
I faced the same issue, however managed to resolve the issue.
Hi Maik, Did you solve the problem? I am suffering the same problem. help me, don't let me leave alone. Thank you in advance.
Hi,
it seems, that i am having the same trouble than rogerv (by the way: is it solved? how?).
logging from i.e. a fortigate 60c, v4.3, to splunk (i had to work with props.conf and transforms.conf, as there are multiple devices sending log to udp/514).
"search sourcetype=fortigate*" shows events, but only sourcetype=fortigate, no sourcetypes like fortigate_traffic, or something.
on the fortigates, "Enable CSV Format" is unchecked...
any ideas?
regards,
Maik
On the fortigate uncheck the box "Enable CSV Format"
Hi, do you have an example of what's not working? If you just run a search for sourcetype=fortigate
, what fields are displayed on the left hand side?