Fortinet FortiGate App for Splunk

The Fortinet FortiGate App for Splunk provides real-time and historical dashboard and analytical reports on traffic, threats, wireless APs, systems, authentications and VPNs for all products across the FortiGate physical and virtual appliances. The integrated solution pinpoints threats and attacks with faster response times without long exposure in unknown troubleshooting state.

With the massive set of logs and big data aggregation through Splunk, the Fortinet FortiGate App for Splunk is certified with pre-defined threat monitoring and performance indicators that guide network security practices a lot easier in the datacenter. As the de facto trending dashboard for many enterprises or service providers, IT administrators can also modify the regular expression query to custom fit for advanced security reporting and compliance mandates.

This document describes how to set up Fortinet FortiGate App for Splunk as well as configuration on the appliances to enable log shipping to Splunk.

The Fortinet FortiGate App depends on the Add-on in order to work properly, so please make sure Fortinet FortiGate Add-on for Splunk has been installed before you proceed.

Also, please check whether FortiGate FOS is 5.0 version or later. The app beginning from 1.6.0 version will depend on the Add-on's 1.6.3 version and up.

Note: There is a 3rd party add-on for Fortinet named Fortinet Fortigate with FortiOS 5 Add-On with folder name TA-fortinet, which has conflict with Fortinet FortiGate Add-on for Splunk, so you need to disable the 3rd party add-on before you proceed.

There are three ways to install the add-on:

There are three ways to install the app:

Note: From version 1.2, the Splunk TA(Add-on) for fortigate no longer match wildcard source or sourcetype to extract fortigate log data, a default sourcetype fortigate_log(before 1.6, the default is fgt_log) is specified in default/props.conf instead, please follow the instruction below to configure your input and props.conf for the App and TA(Add-on).

Through Splunk Web UI: Option1: Adding a TCP/UDP input Settings->Data Input->UDP Port: 514 (Example, can be modified according to your own plan) Sourcetype: fortigate_log (Example, can be modified according to your own plan but need to match the sourcetype stanza in props.conf)

Option2: Adding a file input Settings->Data Input->Files & Directories Browse: Select the file directory Select sourcetype: if fortigate_log is not created yet, click Save As -> Name:fortigate_log Leave others unchanged and save.

Note: the UDP port, 514 in this example should be opened in firewall for logs to pass through. If you choose TCP input and on FortiGate use "reliable"(tcp) mode for syslog setting, you will need to add the following in local/props.conf because tcp tranported syslog will have xxx header as line indicator.(8514 below is an example of TCP port, you can choose your own. There is no timestamp header like UDP so you can specify the timestamp field in the fortigate log, in our case the precision is in nanoseconds so the time format is %s%9N. If your FOS version has time stamp in different precision, refer to: https://docs.splunk.com/Documentation/Splunk/8.1.1/SearchReference/Commontimeformatvariables)

Fortinet FortiGate Add-On for Splunk will by default automatically extract FortiGate log data from inputs with sourcetype 'fortigate_log'. If you want to configure it to extract a self-defined sourcetype, copy the props.conf in $SPLUNK_HOME/etc/apps/Splunk_TA_fortinet_fortigate/default/props.conf to $SPLUNK_HOME/etc/apps/Splunk_TA_fortinet_fortigate/local/props.conf and change the source stanza. replace [fortigate_log] with [fortigate], for instance.

Note: Please use notepad++ to edit the configuration files if you are working on a Windows operating system. Windows's default Notepad can not display or save the configuration file in proper format.

If a customized index is used for the input, it also needs to be added in admin user's default authorized list of indexes to search. In $SPLUNK_HOME/etc/system/local/authorize.conf

In this example, fortigate is the index for my fortigate log input.

Restart Splunk service for the change to take effect.

Note: If you are forwarding FortiGate logs from Fortianalyzer, please make sure you set the format to syslog instead of the default CEF format. If you would like to use TCP as transport protocol, please add 'set mode reliable' and refer to step3 above for TCP related configuration on Splunk side.

Since version 1.5.0 of the app, data model acceleration is no longer enabled in default/datamodels.conf. User has to either enable data acceleration on Splunk GUI Settings->Data Models->Fortinet FoS Log. Or on Splunk search head, where the app is installed, create "local" folder under $SPLUNK_HOME/etc/apps/SplunkAppForFortinet/ and create a file in this "local" folder named datamodels.conf with the following content:

At this point, you will see data parsed and presented on Fortinet Network Security dashboard.

Fortinet FortiGate App for Splunk delivers the data visibility throughout Fortinet’s next-generation firewalls and the analysis for advanced security reporting without error prone manual process.

There is eventtime field with the epoch time in FortiGate log in newer FOS versions(6.0 and later). To use it as the timestamp, you can add the following in local/props.conf under the stanza of the corresponding input. If the eventtime field has 19 digits(FOS6.4 and later)

If the eventtime field has 10 digits:

In FOS5.6 version, the field is called logtime, so change TIME_PREFIX accordingly:

Splunk Enterprise sends unwanted incoming events to nullQueue to discard them during data routing and filtering. To set up this filter, you can add the following regex in local/props.conf of fortigate add-on Splunk_TA_fortinet_fortigate. Example:

Also add the following regex in local/transforms.conf of fortigate add-on Splunk_TA_fortinet_fortigate.

Please restart Splunk service for the change to take effect.

1. Disable rsyslog: sudo dpkg –purge rsyslog 2. Install syslog-NG: apt install syslog-ng 3. Configure syslog-NG, add following content to /etc/syslog-ng/syslog-ng.conf

4. Restart the syslog-NG service: service syslog-ng restart

Add the following CLI to Fortigate to send syslog to syslog-NG

1. Install the Splunk Universal Forwarder Refer to: https://docs.splunk.com/Documentation/Forwarder/8.2.2/Forwarder/HowtoforwarddatatoSplunkCloud?ref=hk#HowtoforwarddatatoSplunkCloud#How_to_forward_data_to_Splunk_Cloud 2. Configure the Splunk Universal Forwarder Add data source to /opt/splunkforwarder/etc/search/local/input.conf

3. Install Fortinet FortiGate Add-on for Splunk in Splunk cloud. Through Splunk cloud web UI: Apps-> Find More Apps-> Search keyword ‘Fortinet’ and find the add-on with Fortinet logo -> Click “Install” button 4. Restart Splunk Service

Make sure the log can match those regex. If not, you can also make slight change on the regex to fit the log. Please note in FOS 5.6 version, the type field includes "", so in order for the fortigate logs to be recognized, please upgrade Fortinet FortiGate Add-on for Splunk to 1.5 version. The App only supports logs from FOS 5.0 and higher versions. Older versions have different log format so you might probably encouter problems. If still no luck getting the dashboards to show anything, please try searching for "host=x.x.x.x" where x.x.x.x is the IP or the hostname of the machine reporting the log, if there are any results with sourcetype=fortigate_traffic, fortigate_event or fortigate_utm, you just need a little bit of patience, if not, please take a screenshot and send it to the email below.

For more information on the App support, email [email protected] for further support.