- Splunk Answers
- :
- Splunk Administration
- :
- Security
- :
- Re: Splunk Fortigate application
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Splunk Fortigate application
Hello,
I am new to Splunk and saw the Splunk for Fortigate application and wanted to use it. I have installed Splunk and have configured a TCP port connection on a specified port. The readme says to use the sourcetype of fortigate. So I have added that in the GUI under Data inputs. Is there anything else I should be doing to get this working? Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jscott4t;
Here's how I got the app to work using a FortiGate 3040B:
On the FG: Aim your syslogs at the Splunk indexer on a high port - I used 5012
On the Indexer: Configure a UDP Data input with:
"Source name override" = fortigate
"Set sourcetype" = manual
"Source type" = fortigate
I per formed a splunk stop/clean eventdata/start and started immediately seeing FG traffic and the app started to be able to see it also. Our FG is just in a test lab so it's not too chatty, but I am at least seeing data.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Have you configured your fortigate appliances to forward the logs to the Splunk server? By default this is via UDP syslog on port 514.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@ Drainy In my data inputs section I am using TCP port 1514 I did that because Splunk documentation suggests using TCP for a more reliable connection. I also have source type set to manual and source type set to fortigate. Should I change back to UDP?
@MHibbin will try that and report back.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Are you not seeing the desired results then?
You should check that Splunk is receiving the raw data (events), you can do this by searching for the sourcetype in the "Search" App and then using the flashtimeline/search view... then type the following in the search bar (using the word "search" a lot, haha 🙂 😞
sourcetype=fortigate
You should see your raw data here (assuming you set-up the sourcetype when you set-up the TCP monitor). You should then confirm the results by navigating to the fortigate App.
If you are not receiving the events in Splunk, you can use some troubleshooting tools such as tcpdump on the receiveing NIC and the relevant port. It may be there is a network issue preventing the traffic flow.
Hope this helps, if you need more specific help... please update your question with more detail of the issue.
Regards,
MHibbin
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
No joy yet search returned empty.
I have not setup any indexing does that matter?
Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!
They're back! Join the SplunkTrust and MVP at .conf24
Enterprise Security Content Update (ESCU) | New Releases
