Fortinet FortiGate Add-On for Splunk is the technical add-on (TA) developed by Fortinet, Inc. The add-on enables Splunk Enterprise to ingest or map security and traffic data collected from FortiGate physical and virtual appliances across domains. The key features include:
• Streamlining authentication and access from FortiGate such as administrator login, user login, VPN termination authentication into to Splunk Enterprise Security Access Center
• Mapping FortiGate virus report into Splunk Enterprise Security Endpoint Malware Center
• Ingesting traffic logs, IPS logs, system configuration logs and Web filtering data etc.
Fortinet FortiGate Add-On for Splunk provides common information model (CIM) knowledge, advanced “saved search”, indexers and macros to use with other Splunk Enterprise apps such as Splunk App for Enterprise Security.
If used with apps that are based on CIM, Splunk Common Information Model Add-on will need to be installed.
Please make sure FortiGate FOS version is 5.0 or later.
Note: There is a 3rd party add-on for Fortinet named Fortinet Fortigate with FortiOS 5 Add-On with folder name TA-fortinet, which has conflict with Fortinet FortiGate Add-on for Splunk, so you need to disable the 3rd party add-on before you proceed.
There are three ways to install the add-on:
Note: From version 1.2, the Splunk TA(Add-on) for fortigate no longer match wildcard source or sourcetype to extract fortigate log data, a default sourcetype fortigate_log is specified in default/props.conf instead, please follow the instruction below to configure your input and props.conf for the App and TA(Add-on).
Through Splunk Web UI:
Settings->Data Input->UDP
Port: 514 (Example, can be modified according to your own plan)
leave other parameters as is.
Note: the UDP port, 514 in this example should be opened in firewall for logs to pass through. If you choose TCP input and on FortiGate use "reliable"(tcp) mode for syslog setting, you will need to add the following in local/props.conf because tcp tranported syslog will have xxx <yyy> header as line indicator.(8514 below is an example of TCP port, you can choose your own. There is no timestamp header like UDP so you can specify the timestamp field in the fortigate log, in our case the precision is in nanoseconds so the time format is %s%9N. If your FOS version has time stamp in different precision, refer to: https://docs.splunk.com/Documentation/Splunk/8.1.1/SearchReference/Commontimeformatvariables)
[source::tcp:8514]
SHOULD_LINEMERGE = false
LINE_BREAKER = (\d{2,3}\s+<\d{2,3}>)
TIME_PREFIX = eventtime=
TIME_FORMAT = %s%9N
If you are forwarding FortiGate logs from Fortianalyzer, please make sure you set the format to syslog instead of the default CEF format.
Fortinet FortiGate Add-On for Splunk will by default automatically extract FortiGate log data from inputs with sourcetype 'fortigate_log'.
If you want to configure it to extract a self-defined sourcetype, copy the props.conf
in $SPLUNK_HOME/etc/apps/Splunk_TA_fortinet_fortigate/default/props.conf to
$SPLUNK_HOME/etc/apps/Splunk_TA_fortinet_fortigate/local/props.conf and change the source stanza.
replace [fortigate_log] with [fortigate], for instance.
Restart Splunk service for the change to take effect.
Available dashboards in Enterprise Security App supported by Fortinet Fortigate Add-on for Splunk.
Please note in FOS 5.6 version, the type field includes "", so in order for the fortigate logs to be recognized, please upgrade this add-on to 1.5 version.
For more information on the App support, email splunk_app@fortinet.com.
add a pattern for 2601F and future xK models.
v1.6.6: Sept 2021
- add alias for legacy source types
v1.6.5: Aug 2021
- splunk proposal for better CIM compliance
- map detected in action lookup to allowed
fix session throughput miscalculation caused by long session.
correct action lookups
update references of fgt to fortigate
v1.5: Jul 2017
- Modify regex to accommodate FOS5.6 log format
v1.4: Oct 2016
- Modify regex to accommodate logs from other forwarding sources, which don't have date and time fields
Changes for certification, no bug fixes or features.
v1.2: Feb 2016
- Fix FortiWifi Platform Log problem
- Change for splunk certification
- Remove default sourcetype wildcard matching, use fgt_log sourcetype instead
- Add csv log format support
Note: From version 1.2, the Splunk TA(Add-on) for fortigate no longer match wildcard source or sourcetype to extract fortigate log data, a default sourcetype fgt_log is specified in default/props.conf instead, please follow the instruction in documentation to configure your input and props.conf for the App and TA(Add-on).
v1.0: Aug 2015
- Initial release
As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps from Splunk, our partners and our community. Find an app for most any data source and user need, or simply create your own with help from our developer portal.