- Splunk Answers
- :
- Splunk Premium Solutions
- :
- Security Premium Solutions
- :
- Splunk Enterprise Security
- :
- Fortigate logs are not in CIM format
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Fortigate logs are not in CIM format
I installed Fortinet Fortigate Add-on for Splunk 1.6.0 and Fortinet Fortigate App for Splunk 1.4.
Sourcetypes are identified correctly: fgt_traffic, fgt_utm and fgt_event but the logs are not in the CIM format: srcip, srcport, dstip, dstport.
Any recommendation?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In that case it looks like a permissions issue. If you want to use these aliases inside search, change the permissions for the aliases in local.meta so that they're exported system wide for read. And also any other objects inside the app that you might want to use from another app.
I haven't loaded this app since I don't have a fortigate, but typically an installation will set the knowledge objects to be only visible within the originating app.
Make sure, of course, that any objects you do this to, don't conflict with things exported from other apps (unlikely, as they should be tied to sourcetypes only applicable to fortigate, but worth checking nonetheless), or you won't get the results you expect. You can use btool to check the work.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Pretty sure you'll need to do this yourself then.
It boils down to studying the applicable CIM topic area, working out what tags, eventtypes and field aliases are needed for your sourcetypes, and creating them. Sounds like you won't need to do any extractions or lookups, but I'm not familiar with Fortigate devices so you'd need to check this as well.
Not terribly helpful help, but this is simply what happens sometimes.
Cheers,
Charles
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I checked field aliases and for the Fortinet Fortigate Add-on for Splunk, the aliases seems to be defined ok, e.g. fgt_event : FIELDALIAS-fgt_vpn_src_user user as src_user.
However, when using the Splunk Search app, the logs are using srcip, srcport, dstip, dstport, etc format.
Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!
They're back! Join the SplunkTrust and MVP at .conf24
Enterprise Security Content Update (ESCU) | New Releases
