icon/x Created with Sketch.

Splunk Cookie Policy

We use our own and third-party cookies to provide you with a great online experience. We also use these cookies to improve our products and services, support our marketing campaigns, and advertise to you on our website and other websites. Some cookies may continue to collect information after you have left our website. Learn more (including how to update your settings) here.
Accept Cookie Policy

Accept License Agreements

This app is provided by a third party and your right to use the app is in accordance with the license provided by that third-party licensor. Splunk is not responsible for any third-party apps and does not provide any warranty or support. If you have any questions, complaints or claims with respect to this app, please contact the licensor directly.

Thank You

Downloading Fortinet FortiGate App for Splunk
SHA256 checksum (fortinet-fortigate-app-for-splunk_163.tgz) 0b152e545daa03c54ab3cc2255774a4b5e13cf230f5a782a6ecaf056ad6a23b8 SHA256 checksum (fortinet-fortigate-app-for-splunk_162.tgz) f24e37be591b5824b060df523dc1b53d97fae12d0d1e444a8770565ad201223a SHA256 checksum (fortinet-fortigate-app-for-splunk_161.tgz) f96c9e75ff683b80db6bd2fad26ac91c0f3974e862c8d57925272d550a6de2a2 SHA256 checksum (fortinet-fortigate-app-for-splunk_160.tgz) 5f532188ad636d2a3defccbcd9ba4c777fe88f34bcc96d9884dbb2283f01d7e1 SHA256 checksum (fortinet-fortigate-app-for-splunk_151.tgz) 6da4cde3c6bbe8cf1edae021ba414493fdef0a160d4838fde6613182db7eeee5 SHA256 checksum (fortinet-fortigate-app-for-splunk_150.tgz) 04ff5aeba4ce6a1c231339c7901b9e6bca4a88b399a371d42e2919e208334f2e SHA256 checksum (fortinet-fortigate-app-for-splunk_14.tgz) 173cf3e684bb517c057dea2f7b1dd5576bff673bf8de2c1db0724aac113c3fd2 SHA256 checksum (fortinet-fortigate-app-for-splunk_13.tgz) 04f57ae12b352faad067c48bbb1a0b83e401a1f6fa7616d6f773d93b0e9b3133 SHA256 checksum (fortinet-fortigate-app-for-splunk_12.tgz) d58f9a879e0beefd5861c37ca1df9ea9541054312ea0ea98884e61cca935c11d SHA256 checksum (fortinet-fortigate-app-for-splunk_11.tgz) fe388e3e9fd096ab5eb434693223fee640ce3328a4a7cc5050c1084c7b7362bc SHA256 checksum (fortinet-fortigate-app-for-splunk_10.tgz) d0bbda602db23e607fa9b439a306c2113fbf0c6db2486e71f5d4b50b14606a9f
To install your download
For instructions specific to your download, click the Details tab after closing this window.

Flag As Inappropriate


Fortinet FortiGate App for Splunk

Splunk Cloud
The Fortinet FortiGate App for Splunk provides datacenter threat visualizations to identify anomalous behavior and helps de-duplicate threat feed data to enable the fast creation and consolidation of analytics. The Fortinet FortiGate App for Splunk properly maps log fields from FortiGate appliances and interchanges into a common format to Splunk intelligence framework.
The Fortinet FortiGate App for Splunk verifies current and historical logs, administrative events, basic firewall, unified treat management, anti-virus, IPS and application controls with Fortinet VDOM enabled. The integrated dashboard enables layered defense with network security, better application threat detection and management through rich data logs from Fortinet physical and virtual appliances.

The Fortinet FortiGate App for Splunk supports logs from FortiOS 5.0/5.2/5.4. FortiOS 5.6, 6.0, 6.2, 6.4 are supported beginning from Fortinet FortiGate Add-on for Splunk 1.5 version.

Fortinet FortiGate App for Splunk

Next Generation and Datacenter Firewalls


The Fortinet FortiGate App for Splunk provides real-time and historical dashboard and analytical reports on traffic, threats, wireless APs, systems, authentications and VPNs for all products across the FortiGate physical and virtual appliances. The integrated solution pinpoints threats and attacks with faster response times without long exposure in unknown troubleshooting state.

With the massive set of logs and big data aggregation through Splunk, the Fortinet FortiGate App for Splunk is certified with pre-defined threat monitoring and performance indicators that guide network security practices a lot easier in the datacenter. As the de facto trending dashboard for many enterprises or service providers, IT administrators can also modify the regular expression query to custom fit for advanced security reporting and compliance mandates.

This document describes how to set up Fortinet FortiGate App for Splunk as well as configuration on the appliances to enable log shipping to Splunk.


The Fortinet FortiGate App depends on the Add-on in order to work properly, so please make sure Fortinet FortiGate Add-on for Splunk has been installed before you proceed.

Also, please check whether FortiGate FOS is 5.0 version or later. The app beginning from 1.6.0 version will depend on the Add-on's 1.6.3 version and up.

Configuration Steps

1. Install Fortinet FortiGate Add-on for Splunk on search head, indexer, forwarder or single instance Splunk server:

Note: There is a 3rd party add-on for Fortinet named Fortinet Fortigate with FortiOS 5 Add-On with folder name TA-fortinet, which has conflict with Fortinet FortiGate Add-on for Splunk, so you need to disable the 3rd party add-on before you proceed.

There are three ways to install the add-on:

  1. Install from Splunk web UI: Manage Apps->Browse more apps->Search keyword “Fortinet” and find the add-on with Fortinet logo->Click “Install free” button->Click restart splunk service.
  2. Install from file on Splunk web UI: Manage Apps->Install from file->Upload the .tgz file which is downloaded from https://splunkbase.splunk.com/apps ->check the upgrade box-> click restart splunk service.
  3. Install from file on Splunk server CLI interface: Extract the .tgz file->Place the TA-fortinet folder under $SPLUNK_HOME/etc/apps-> Restart Splunk service.

2. Install Fortinet FortiGate App for Splunk on search head, indexer, forwarder or single instance Splunk server:

There are three ways to install the app:

  1. Install from Splunk web UI: Manage Apps > Browse more apps > Search keyword “Fortinet” > Click “Install free” button > Click Restart Splunk Service.
  2. Install from file on Splunk web UI: Manage Apps > Install from file > Upload the .tgz file which is downloaded from https://splunkbase.splunk.com/app > Click Restart Splunk service.
  3. Install from file on Splunk server CLI interface: Extract the .tgz file->Place the SplunkAppForFortinet folder under $SPLUNK_HOME/etc/apps > Restart Splunk Service.

3. Add data input on Splunk server:

Note: From version 1.2, the Splunk TA(Add-on) for fortigate no longer match wildcard source or sourcetype to extract fortigate log data, a default sourcetype fortigate_log(before 1.6, the default is fgt_log) is specified in default/props.conf instead, please follow the instruction below to configure your input and props.conf for the App and TA(Add-on).

Through Splunk Web UI:
Option1: Adding a TCP/UDP input
Settings->Data Input->UDP
Port: 514 (Example, can be modified according to your own plan)
Sourcetype: fortigate_log (Example, can be modified according to your own plan but need to match the sourcetype stanza in props.conf)

Option2: Adding a file input
Settings->Data Input->Files & Directories
Browse: Select the file directory
Select sourcetype: if fortigate_log is not created yet, click Save As -> Name:fortigate_log
Leave others unchanged and save.

Note: the UDP port, 514 in this example should be opened in firewall for logs to pass through. If you choose TCP input and on FortiGate use "reliable"(tcp) mode for syslog setting, you will need to add the following in local/props.conf because tcp tranported syslog will have xxx <yyy> header as line indicator.(8514 below is an example of TCP port, you can choose your own. There is no timestamp header like UDP so you can specify the timestamp field in the fortigate log, in our case the precision is in nanoseconds so the time format is %s%9N. If your FOS version has time stamp in different precision, refer to: https://docs.splunk.com/Documentation/Splunk/8.1.1/SearchReference/Commontimeformatvariables)

LINE_BREAKER = (\d{2,3}\s+<\d{2,3}>)
TIME_PREFIX = eventtime=

Fortinet FortiGate Add-On for Splunk will by default automatically extract FortiGate log data from inputs with sourcetype 'fortigate_log'.
If you want to configure it to extract a self-defined sourcetype, copy the props.conf
in $SPLUNK_HOME/etc/apps/Splunk_TA_fortinet_fortigate/default/props.conf to
$SPLUNK_HOME/etc/apps/Splunk_TA_fortinet_fortigate/local/props.conf and change the source stanza.
replace [fortigate_log] with [fortigate], for instance.

Note: Please use notepad++ to edit the configuration files if you are working on a Windows operating system. Windows's default Notepad can not display or save the configuration file in proper format.

If a customized index is used for the input, it also needs to be added in admin user's default authorized list of indexes to search.
In $SPLUNK_HOME/etc/system/local/authorize.conf

srchIndexesDefault = fortigate;main
srchMaxTime = 8640000

In this example, fortigate is the index for my fortigate log input.

Restart Splunk service for the change to take effect.

4. Configure FortiGate to send logs to Splunk server:

config log syslogd setting (or 'config log syslogd2/3' setting if syslogd is occupied)   
set status enable   
set server "x.x.x.x"   
set port 514 (Example. Should be the same as in data input of Splunk server)   

Note: If you are forwarding FortiGate logs from Fortianalyzer, please make sure you set the format to syslog instead of the default CEF format. If you would like to use TCP as transport protocol, please add 'set mode reliable' and refer to step3 above for TCP related configuration on Splunk side.

5. Enable Data Model Acceleration:

Since version 1.5.0 of the app, data model acceleration is no longer enabled in default/datamodels.conf. User has to either enable data acceleration on Splunk GUI Settings->Data Models->Fortinet FoS Log.
Or on Splunk search head, where the app is installed, create "local" folder under $SPLUNK_HOME/etc/apps/SplunkAppForFortinet/ and create a file in this "local" folder named datamodels.conf with the following content:

acceleration = 1
acceleration.earliest_time = -1mon

6. Verify that logs are received on Splunk server:

Alt text

At this point, you will see data parsed and presented on Fortinet Network Security dashboard.

Alt text

Fortinet FortiGate App for Splunk delivers the data visibility throughout Fortinet’s next-generation firewalls and the analysis for advanced security reporting without error prone manual process.

7. (Optional)Extract time from FOS log:

There is eventtime field with the epoch time in FortiGate log in newer FOS versions(6.0 and later). To use it as the timestamp, you can add the following in local/props.conf under the stanza of the corresponding input.
If the eventtime field has 19 digits(FOS6.4 and later)

TIME_PREFIX = eventtime=

If the eventtime field has 10 digits:

TIME_PREFIX = eventtime=

In FOS5.6 version, the field is called logtime, so change TIME_PREFIX accordingly:

TIME_PREFIX = logtime=


  • Check whether FortiGate FOS is 5.0 version or later.
  • Go back to Configuration Steps to double check if every step has been followed.
  • Make sure port 514 in this case is opened on firewalls throughout the log's data path.
  • Double-check Splunk server and FortiGate devices are synchronized in time.
  • Make sure traffic logging is enabled in policies on FortiGate configuration, for example:
config firewall policy   
edit 1   
set logtraffic all   
  • If you see graphs on first page - Fortinet Network Security but there is none on rest of the dashboards, you can try to extend the time range. If there is graph after increasing the time range, the probable cause is data model is not accelerated completely yet. You can verify this by looking at Settings > Data Model > Fortinet FoS Log. Expand. If the percentage is low, it means Splunk server is limited on resources. It may take some time for the data model acceleration to catch up.
  • Sometimes, the logs received by syslogd can be transformed and would not match the regex in the app, so no data will be shown on dashboards. Here are the regex in transforms.conf of fortigate add-on Splunk_TA_fortinet_fortigate.

Make sure the log can match those regex. If not, you can also make slight change on the regex to fit the log.
Please note in FOS 5.6 version, the type field includes "", so in order for the fortigate logs to be recognized, please upgrade Fortinet FortiGate Add-on for Splunk to 1.5 version.
The App only supports logs from FOS 5.0 and higher versions. Older versions have different log format so you might probably encouter problems.
If still no luck getting the dashboards to show anything, please try searching for "host=x.x.x.x" where x.x.x.x is the IP or the hostname of the machine reporting the log, if there are any results with sourcetype=fortigate_traffic, fortigate_event or fortigate_utm, you just need a little bit of patience, if not, please take a screenshot and send it to the email below.

For more information on the App support, email splunk_app@fortinet.com for further support.

Release Notes

Version 1.6.3
Sept. 8, 2021

v1.6.3: Sept 2021
- fix session by action aggregation

Version 1.6.2
Aug. 26, 2021

-1.6.2 update xml version to support Splunk 8.2

Version 1.6.1
June 3, 2021

fix session number miscalculation issue caused by long session

Version 1.6.0
April 1, 2021

update references of fgt to fortigate

Version 1.5.1
Dec. 10, 2019
  • consider anomly as threat
Version 1.5.0
Aug. 2, 2019
  1. fix app inspection errors: remove datamodel acceleration from default. User has to enable it manually on GUI or config file.
Version 1.4
Oct. 17, 2016

v1.4: Oct 2016
- Optimize datamodel to make acceleration faster and size smaller
- add default earliest time 1 month for acceleration
- Remove deprecated tags to pass certification precheck

Version 1.3
May 24, 2016

Changes for certification, no bug fixes or feature change.

Version 1.2
April 6, 2016

v1.2: Feb 2016
- Changes for Splunk certification
Note: From version 1.2, the Splunk TA(Add-on) for fortigate no longer match wildcard source or sourcetype to extract fortigate log data, a default sourcetype fgt_log is specified in default/props.conf instead, please follow the instruction in documentation to configure your input and props.conf for the App and TA(Add-on).

Version 1.1
Aug. 20, 2015

v1.1: Aug 2015
- Change App Name to "Fortinet Fortigate App for Splunk"
- Move data input processing to "Fortinet Fortigate
Add-On for Splunk"
- Change datamodel and dashboard search strings to fit
the Add-On sourcetypes and fieldnames

Version 1.0
July 24, 2015

Subscribe Share

Are you a developer?

As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps and add-ons from Splunk, our partners and our community. Find an app or add-on for most any data source and user need, or simply create your own with help from our developer portal.

Follow Us:
Splunk, Splunk>,Turn Data Into Doing, Data-to-Everything, and D2E are trademarks or registered trademarks of Splunk Inc. in the United States and other countries. All other brand names,product names,or trademarks belong to their respective owners.