The Fortinet FortiGate App for Splunk provides real-time and historical dashboard and analytical reports on traffic, threats, wireless APs, systems, authentications and VPNs for all products across the FortiGate physical and virtual appliances. The integrated solution pinpoints threats and attacks with faster response times without long exposure in unknown troubleshooting state.
With the massive set of logs and big data aggregation through Splunk, the Fortinet FortiGate App for Splunk is certified with pre-defined threat monitoring and performance indicators that guide network security practices a lot easier in the datacenter. As the de facto trending dashboard for many enterprises or service providers, IT administrators can also modify the regular expression query to custom fit for advanced security reporting and compliance mandates.
This document describes how to set up Fortinet FortiGate App for Splunk as well as configuration on the appliances to enable log shipping to Splunk.
The Fortinet FortiGate App depends on the Add-on in order to work properly, so please make sure Fortinet FortiGate Add-on for Splunk has been installed before you proceed.
Also, please check whether FortiGate FOS is 5.0 version or later.
Note: There is a 3rd party add-on for Fortinet named Fortinet Fortigate with FortiOS 5 Add-On with folder name TA-fortinet, which has conflict with Fortinet FortiGate Add-on for Splunk, so you need to disable the 3rd party add-on before you proceed.
There are three ways to install the add-on:
There are three ways to install the app:
Note: From version 1.2, the Splunk TA(Add-on) for fortigate no longer match wildcard source or sourcetype to extract fortigate log data, a default sourcetype fgt_log is specified in default/props.conf instead, please follow the instruction below to configure your input and props.conf for the App and TA(Add-on).
Through Splunk Web UI:
Option1: Adding a UDP input
Port: 514 (Example, can be modified according to your own plan)
Sourcetype: fgt_log (Example, can be modified according to your own plan but need to match the sourcetype stanza in props.conf)
Option2: Adding a file input
Settings->Data Input->Files & Directories
Browse: Select the file directory
Select sourcetype: if fgt_log is not created yet, click Save As -> Name:fgt_log
Leave others unchanged and save.
Note: the UDP port, 514 in this example should be opened in firewall for logs to pass through.
Fortinet FortiGate Add-On for Splunk will by default automatically extract FortiGate log data from inputs with sourcetype 'fgt_log'.
If you want to configure it to extract a self-defined sourcetype, copy the props.conf
in $SPLUNK_HOME/etc/apps/Splunk_TA_fortinet_fortigate/default/props.conf to
$SPLUNK_HOME/etc/apps/Splunk_TA_fortinet_fortigate/local/props.conf and change the source stanza.
replace [fgt_log] with [fortigate], for instance.
Note: Please use notepad++ to edit the configuration files if you are working on a Windows operating system. Windows's default Notepad can not display or save the configuration file in proper format.
If a customized index is used for the input, it also needs to be added in admin user's default authorized list of indexes to search.
[role_admin] srchIndexesDefault = fgt;main srchMaxTime = 8640000
In this example, fgt is the index for my fortigate log input.
Restart Splunk service for the change to take effect.
config log syslogd setting (or 'config log syslogd2/3' setting if syslogd is occupied) set status enable set server "x.x.x.x" set port 514 (Example. Should be the same as in data input of Splunk server) end
Since version 1.5.0 of the app, data model acceleration is no longer enabled in default/datamodels.conf. User has to either enable data acceleration on Splunk GUI Settings->Data Models->Fortinet FoS Log.
Or on Splunk search head, where the app is installed, create "local" folder under $SPLUNK_HOME/etc/apps/SplunkAppForFortinet/ and create a file in this "local" folder named datamodels.conf with the following content:
[ftnt_fos] acceleration = 1 acceleration.earliest_time = -1mon
At this point, you will see data parsed and presented on Fortinet Network Security dashboard.
Fortinet FortiGate App for Splunk delivers the data visibility throughout Fortinet’s next-generation firewalls and the analysis for advanced security reporting without error prone manual process.
config firewall policy edit 1 set logtraffic all end end
devid=\"?F[G|W|6K].+type=\"?traffic devid=\"?F[G|W|6K].+type=\"?utm devid=\"?F[G|W|6K].+type=\"?event
Make sure the log can match those regex. If not, you can also make slight change on the regex to fit the log.
Please note in FOS 5.6 version, the type field includes "", so in order for the fortigate logs to be recognized, please upgrade Fortinet FortiGate Add-on for Splunk to 1.5 version.
The App only supports logs from FOS 5.0 and higher versions. Older versions have different log format so you might probably encouter problems.
If still no luck getting the dashboards to show anything, please try searching for "host=x.x.x.x" where x.x.x.x is the IP or the hostname of the machine reporting the log, if there are any results with sourcetype=fgt_traffic, fgt_event or fgt_utm, you just need a little bit of patience, if not, please take a screenshot and send it to the email below.
For more information on the App support, email firstname.lastname@example.org for further support.
- consider anomly as threat
1. fix app inspection errors: remove datamodel acceleration from default. User has to enable it manually on GUI or config file.
v1.4: Oct 2016
- Optimize datamodel to make acceleration faster and size smaller
- add default earliest time 1 month for acceleration
- Remove deprecated tags to pass certification precheck
Changes for certification, no bug fixes or feature change.
v1.2: Feb 2016
- Changes for Splunk certification
Note: From version 1.2, the Splunk TA(Add-on) for fortigate no longer match wildcard source or sourcetype to extract fortigate log data, a default sourcetype fgt_log is specified in default/props.conf instead, please follow the instruction in documentation to configure your input and props.conf for the App and TA(Add-on).
v1.1: Aug 2015
- Change App Name to "Fortinet Fortigate App for Splunk"
- Move data input processing to "Fortinet Fortigate
Add-On for Splunk"
- Change datamodel and dashboard search strings to fit
the Add-On sourcetypes and fieldnames
Splunk AppInspect evaluates Splunk apps against a set of Splunk-defined criteria to assess the validity and security of an app package and components.
As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps and add-ons from Splunk, our partners and our community. Find an app or add-on for most any data source and user need, or simply create your own with help from our developer portal.