The Fortinet FortiGate App for Splunk provides real-time and historical dashboard and analytical reports on traffic, threats, wireless APs, systems, authentications and VPNs for all products across the FortiGate physical and virtual appliances. The integrated solution pinpoints threats and attacks with faster response times without long exposure in unknown troubleshooting state.
With the massive set of logs and big data aggregation through Splunk, the Fortinet FortiGate App for Splunk is certified with pre-defined threat monitoring and performance indicators that guide network security practices a lot easier in the datacenter. As the de facto trending dashboard for many enterprises or service providers, IT administrators can also modify the regular expression query to custom fit for advanced security reporting and compliance mandates.
This document describes how to set up Fortinet FortiGate App for Splunk as well as configuration on the appliances to enable log shipping to Splunk.
The Fortinet FortiGate App depends on the Add-on in order to work properly, so please make sure Fortinet FortiGate Add-on for Splunk has been installed before you proceed.
Also, please check whether FortiGate FOS is 5.0 version or later. The app beginning from 1.6.0 version will depend on the Add-on's 1.6.3 version and up.
Note: There is a 3rd party add-on for Fortinet named Fortinet Fortigate with FortiOS 5 Add-On with folder name TA-fortinet, which has conflict with Fortinet FortiGate Add-on for Splunk, so you need to disable the 3rd party add-on before you proceed.
There are three ways to install the add-on:
There are three ways to install the app:
Note: From version 1.2, the Splunk TA(Add-on) for fortigate no longer match wildcard source or sourcetype to extract fortigate log data, a default sourcetype fortigate_log(before 1.6, the default is fgt_log) is specified in default/props.conf instead, please follow the instruction below to configure your input and props.conf for the App and TA(Add-on).
Through Splunk Web UI:
Option1: Adding a TCP/UDP input
Settings->Data Input->UDP
Port: 514 (Example, can be modified according to your own plan)
Sourcetype: fortigate_log (Example, can be modified according to your own plan but need to match the sourcetype stanza in props.conf)
Option2: Adding a file input
Settings->Data Input->Files & Directories
Browse: Select the file directory
Select sourcetype: if fortigate_log is not created yet, click Save As -> Name:fortigate_log
Leave others unchanged and save.
Note: the UDP port, 514 in this example should be opened in firewall for logs to pass through. If you choose TCP input and on FortiGate use "reliable"(tcp) mode for syslog setting, you will need to add the following in local/props.conf because tcp tranported syslog will have xxx <yyy> header as line indicator.(8514 below is an example of TCP port, you can choose your own. There is no timestamp header like UDP so you can specify the timestamp field in the fortigate log, in our case the precision is in nanoseconds so the time format is %s%9N. If your FOS version has time stamp in different precision, refer to: https://docs.splunk.com/Documentation/Splunk/8.1.1/SearchReference/Commontimeformatvariables)
[source::tcp:8514]
SHOULD_LINEMERGE = false
LINE_BREAKER = (\d{2,3}\s+<\d{2,3}>)
TIME_PREFIX = eventtime=
TIME_FORMAT = %s%9N
Fortinet FortiGate Add-On for Splunk will by default automatically extract FortiGate log data from inputs with sourcetype 'fortigate_log'.
If you want to configure it to extract a self-defined sourcetype, copy the props.conf
in $SPLUNK_HOME/etc/apps/Splunk_TA_fortinet_fortigate/default/props.conf to
$SPLUNK_HOME/etc/apps/Splunk_TA_fortinet_fortigate/local/props.conf and change the source stanza.
replace [fortigate_log] with [fortigate], for instance.
Note: Please use notepad++ to edit the configuration files if you are working on a Windows operating system. Windows's default Notepad can not display or save the configuration file in proper format.
If a customized index is used for the input, it also needs to be added in admin user's default authorized list of indexes to search.
In $SPLUNK_HOME/etc/system/local/authorize.conf
[role_admin]
srchIndexesDefault = fortigate;main
srchMaxTime = 8640000
In this example, fortigate is the index for my fortigate log input.
Restart Splunk service for the change to take effect.
config log syslogd setting (or 'config log syslogd2/3' setting if syslogd is occupied)
set status enable
set server "x.x.x.x"
set port 514 (Example. Should be the same as in data input of Splunk server)
end
Note: If you are forwarding FortiGate logs from Fortianalyzer, please make sure you set the format to syslog instead of the default CEF format. If you would like to use TCP as transport protocol, please add 'set mode reliable' and refer to step3 above for TCP related configuration on Splunk side.
Since version 1.5.0 of the app, data model acceleration is no longer enabled in default/datamodels.conf. User has to either enable data acceleration on Splunk GUI Settings->Data Models->Fortinet FoS Log.
Or on Splunk search head, where the app is installed, create "local" folder under $SPLUNK_HOME/etc/apps/SplunkAppForFortinet/ and create a file in this "local" folder named datamodels.conf with the following content:
[ftnt_fos]
acceleration = 1
acceleration.earliest_time = -1mon
At this point, you will see data parsed and presented on Fortinet Network Security dashboard.
Fortinet FortiGate App for Splunk delivers the data visibility throughout Fortinet’s next-generation firewalls and the analysis for advanced security reporting without error prone manual process.
There is eventtime field with the epoch time in FortiGate log in newer FOS versions(6.0 and later). To use it as the timestamp, you can add the following in local/props.conf under the stanza of the corresponding input.
If the eventtime field has 19 digits(FOS6.4 and later)
TIME_FORMAT = %s%9N
TIME_PREFIX = eventtime=
If the eventtime field has 10 digits:
TIME_FORMAT = %s
TIME_PREFIX = eventtime=
In FOS5.6 version, the field is called logtime, so change TIME_PREFIX accordingly:
TIME_FORMAT = %s
TIME_PREFIX = logtime=
Splunk Enterprise sends unwanted incoming events to nullQueue to discard them during data routing and filtering. To set up this filter, you can add the following regex in local/props.conf of fortigate add-on Splunk_TA_fortinet_fortigate.
Example:
TRANSFORMS-force_sourcetype_fortigate = setnull,force_sourcetype_fortigate
Also add the following regex in local/transforms.conf of fortigate add-on Splunk_TA_fortinet_fortigate.
[setnull]
REGEX = <expression for the filter here> (Example: REGEX = policyid=57)
DEST_KEY = queue
FORMAT = nullQueue
Please restart Splunk service for the change to take effect.
1. Disable rsyslog: sudo dpkg –purge rsyslog
2. Install syslog-NG: apt install syslog-ng
3. Configure syslog-NG, add following content to /etc/syslog-ng/syslog-ng.conf
@version:3.5
# syslog-ng configuration file.
source s_network {
udp(port(5514));
};
#Destinations
destination d_all { file("/var/log/fortigate/$HOST/$YEAR-$MONTH-$DAY-catch_all.log" create_dirs(yes)); };
# Filters
filter f_all {
};
# Log
log { source(s_network); destination(d_all); };
4. Restart the syslog-NG service: service syslog-ng restart
Add the following CLI to Fortigate to send syslog to syslog-NG
config log syslogd setting
set status enable
set server “<ip of syslog-NG server>”
set port 5514
end
1. Install the Splunk Universal Forwarder
Refer to: https://docs.splunk.com/Documentation/Forwarder/8.2.2/Forwarder/HowtoforwarddatatoSplunkCloud?ref=hk#HowtoforwarddatatoSplunkCloud#How_to_forward_data_to_Splunk_Cloud
2. Configure the Splunk Universal Forwarder
Add data source to /opt/splunkforwarder/etc/search/local/inputs.conf
[monitor:///var/log/fortigate/*/*.log]
sourcetype = fortigate_log
disabled = false
3. Install Fortinet FortiGate Add-on for Splunk in Splunk cloud.
Through Splunk cloud web UI:
Apps-> Find More Apps-> Search keyword ‘Fortinet’ and find the add-on with Fortinet logo -> Click “Install” button
4. Restart Splunk Service
config firewall policy
edit 1
set logtraffic all
end
end
REGEX = ^.+?devid=\"?F(?:G|W|\dK).+?(?:\s|\,|\,\s)type=\"?(traffic|utm|event|anomaly)
Make sure the log can match those regex. If not, you can also make slight change on the regex to fit the log.
Please note in FOS 5.6 version, the type field includes "", so in order for the fortigate logs to be recognized, please upgrade Fortinet FortiGate Add-on for Splunk to 1.5 version.
* The App only supports logs from FOS 5.0 and higher versions. Older versions have different log format so you might probably encouter problems.
* If still no luck getting the dashboards to show anything, please try searching for "host=x.x.x.x" where x.x.x.x is the IP or the hostname of the machine reporting the log, if there are any results with sourcetype=fortigate_traffic, fortigate_event or fortigate_utm, you just need a little bit of patience, if not, please take a screenshot and send it to the email below.
For more information on the App support, email splunk_app@fortinet.com for further support.
update app version to stay active
v1.6.3: Sept 2021
- fix session by action aggregation
-1.6.2 update xml version to support Splunk 8.2
fix session number miscalculation issue caused by long session
update references of fgt to fortigate
v1.4: Oct 2016
- Optimize datamodel to make acceleration faster and size smaller
- add default earliest time 1 month for acceleration
- Remove deprecated tags to pass certification precheck
Changes for certification, no bug fixes or feature change.
v1.2: Feb 2016
- Changes for Splunk certification
Note: From version 1.2, the Splunk TA(Add-on) for fortigate no longer match wildcard source or sourcetype to extract fortigate log data, a default sourcetype fgt_log is specified in default/props.conf instead, please follow the instruction in documentation to configure your input and props.conf for the App and TA(Add-on).
v1.1: Aug 2015
- Change App Name to "Fortinet Fortigate App for Splunk"
- Move data input processing to "Fortinet Fortigate
Add-On for Splunk"
- Change datamodel and dashboard search strings to fit
the Add-On sourcetypes and fieldnames
As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps from Splunk, our partners and our community. Find an app for most any data source and user need, or simply create your own with help from our developer portal.