Fortinet Document Library

Version:


Table of Contents

User Guide

Download PDF
Copy Link

FortiWeb Cloud and Splunk

About Splunk

Splunk Inc. (NASDAQ: SPLK) is the market leader in analyzing machine data to deliver Operational Intelligence for security, IT and the business. Splunk® software provides the enterprise machine data fabric that drives digital transformation. Splunk Enterprise makes it simple to collect, analyze and act upon the untapped value of the big data generated by your technology infrastructure, security systems and business applications—giving you the insights to drive operational performance and business results.

FortiWeb Cloud App for Splunk

The Fortinet FortiWeb Cloud App provides real-time and historical dashboard on threats, performance metrics and audit information for FortiWeb Cloud.

With the massive set of logs and big data aggregation through Splunk, the FortiWeb Cloud App for Splunk is certified with pre-defined threat monitoring and performance indicators that help guide network security . As the de facto trending dashboard for many enterprises or service providers, IT administrators can also modify the regular expression query to custom fit views for advanced security reporting and compliance mandates.
Fortinet FortiWebCloud App for Splunk: https://splunkbase.splunk.com/app/4627/

note icon

Fortinet FortiWeb Cloud App depends on the Add-on to work properly. Make sure Fortinet FortiWebCloud Add-on for Splunk has been installed before you proceed.

FortiWeb Cloud Add-on for Splunk

Fortinet FortiWeb Cloud Add-On for Splunk is the technical add-on (TA) developed by Fortinet, Inc. The add-on enables Splunk Enterprise to ingest or map security and audit data collected from FortiWeb Cloud, which includes attack and audit logs.

Fortinet FortiWebCloud Add-on for Splunk: https://splunkbase.splunk.com/app/4626/

Deployment prerequisites

  1. Splunk version 7.2.5 or later
  2. FortiWeb Cloud Add-On for Splunk
  3. FortiWeb Cloud App for Splunk
  4. A Splunk.com username and password

Splunk configuration

  1. Click the gear (Manage Apps) from Splunk Enterprise.
  2. Click Browse more apps, and search for FortiWebCloud.
  3. Install Fortinet FortiWebCloud Add-on for Splunk.
  4. Then install Fortinet FortiWebCloud App for Splunk .
  5. Restart Splunk Enterprise.
  6. From Settings, click Data Inputs under Data.
  7. Click Add new in the UDP line to create a new UDP input.
  8. Create a UDP data source, for example, on Port 514.
  9. Click Next.
  10. For Source type, click Select tab. Click Select Source Type, enter "fwbcld" in the filter box, and select "fwbcld_log".
    Fortinet FortiWebCloud Add-On for Splunk will by default automatically extract FortiWebCloud log data from inputs with sourcetype 'fwbcld_log'.
  11. For App context, select Fortinet FortiWebCloud App for Splunk .
  12. Click Review to check the items.
  13. Click Submit.

FortiWeb Cloud configuration

Configure FortiWeb Cloud to send logs to Splunk server.

Attack logs
  1. Go to ADD MODULES.
  2. Enable Attack Log Export, and click OK.
  3. Go to Logs > Attack Log Export, enable Attack Log Export.
  4. Click Add Log Server.
  5. Configure these settings. See Exporting attack logs for details.
    For Log Format, select Splunk.
Audit logs
  1. Go to Global > Settings.
  2. Enable Audit Logs Export.
  3. Configure these settings. See Exporting attack logs for details.
    For Log Format, select Splunk.

Logs verification on Splunk server

To verify whether logs have been received by Splunk server

  1. On Splunk web UI, go to Apps > Search & Reporting.
  2. If attack logs have been sent to Splunk, enter 'sourcetype="fwbcld_attack"' in the search box. Change the time range if necessary. The attack logs will be listed below.
  3. If audit logs have been sent to Splunk, enter 'sourcetype="fwbcld_event"' in the search box. Change the time range if necessary. The audit logs will be listed below.
  4. Go to the dashboard of Fortinet FortiWebCloud App for Splunk , from the Security Overview, Attack, and Event tabs, you can see data parsed and presented.

Troubleshooting

What to do if data is not shown up in the Dashboards?

  1. Go to Settings > Data Inputs. Verify that you have a UDP data input enabled on port ,for example, 514.
  2. Go to Settings > Indexes. Verify that your Index (typically main) is receiving data and that the Latest Event is recent. If not, verify the FortiWeb Cloud Syslog settings are correct and that it can reach the Splunk server.

FortiWeb Cloud and Splunk

About Splunk

Splunk Inc. (NASDAQ: SPLK) is the market leader in analyzing machine data to deliver Operational Intelligence for security, IT and the business. Splunk® software provides the enterprise machine data fabric that drives digital transformation. Splunk Enterprise makes it simple to collect, analyze and act upon the untapped value of the big data generated by your technology infrastructure, security systems and business applications—giving you the insights to drive operational performance and business results.

FortiWeb Cloud App for Splunk

The Fortinet FortiWeb Cloud App provides real-time and historical dashboard on threats, performance metrics and audit information for FortiWeb Cloud.

With the massive set of logs and big data aggregation through Splunk, the FortiWeb Cloud App for Splunk is certified with pre-defined threat monitoring and performance indicators that help guide network security . As the de facto trending dashboard for many enterprises or service providers, IT administrators can also modify the regular expression query to custom fit views for advanced security reporting and compliance mandates.
Fortinet FortiWebCloud App for Splunk: https://splunkbase.splunk.com/app/4627/

note icon

Fortinet FortiWeb Cloud App depends on the Add-on to work properly. Make sure Fortinet FortiWebCloud Add-on for Splunk has been installed before you proceed.

FortiWeb Cloud Add-on for Splunk

Fortinet FortiWeb Cloud Add-On for Splunk is the technical add-on (TA) developed by Fortinet, Inc. The add-on enables Splunk Enterprise to ingest or map security and audit data collected from FortiWeb Cloud, which includes attack and audit logs.

Fortinet FortiWebCloud Add-on for Splunk: https://splunkbase.splunk.com/app/4626/

Deployment prerequisites

  1. Splunk version 7.2.5 or later
  2. FortiWeb Cloud Add-On for Splunk
  3. FortiWeb Cloud App for Splunk
  4. A Splunk.com username and password

Splunk configuration

  1. Click the gear (Manage Apps) from Splunk Enterprise.
  2. Click Browse more apps, and search for FortiWebCloud.
  3. Install Fortinet FortiWebCloud Add-on for Splunk.
  4. Then install Fortinet FortiWebCloud App for Splunk .
  5. Restart Splunk Enterprise.
  6. From Settings, click Data Inputs under Data.
  7. Click Add new in the UDP line to create a new UDP input.
  8. Create a UDP data source, for example, on Port 514.
  9. Click Next.
  10. For Source type, click Select tab. Click Select Source Type, enter "fwbcld" in the filter box, and select "fwbcld_log".
    Fortinet FortiWebCloud Add-On for Splunk will by default automatically extract FortiWebCloud log data from inputs with sourcetype 'fwbcld_log'.
  11. For App context, select Fortinet FortiWebCloud App for Splunk .
  12. Click Review to check the items.
  13. Click Submit.

FortiWeb Cloud configuration

Configure FortiWeb Cloud to send logs to Splunk server.

Attack logs
  1. Go to ADD MODULES.
  2. Enable Attack Log Export, and click OK.
  3. Go to Logs > Attack Log Export, enable Attack Log Export.
  4. Click Add Log Server.
  5. Configure these settings. See Exporting attack logs for details.
    For Log Format, select Splunk.
Audit logs
  1. Go to Global > Settings.
  2. Enable Audit Logs Export.
  3. Configure these settings. See Exporting attack logs for details.
    For Log Format, select Splunk.

Logs verification on Splunk server

To verify whether logs have been received by Splunk server

  1. On Splunk web UI, go to Apps > Search & Reporting.
  2. If attack logs have been sent to Splunk, enter 'sourcetype="fwbcld_attack"' in the search box. Change the time range if necessary. The attack logs will be listed below.
  3. If audit logs have been sent to Splunk, enter 'sourcetype="fwbcld_event"' in the search box. Change the time range if necessary. The audit logs will be listed below.
  4. Go to the dashboard of Fortinet FortiWebCloud App for Splunk , from the Security Overview, Attack, and Event tabs, you can see data parsed and presented.

Troubleshooting

What to do if data is not shown up in the Dashboards?

  1. Go to Settings > Data Inputs. Verify that you have a UDP data input enabled on port ,for example, 514.
  2. Go to Settings > Indexes. Verify that your Index (typically main) is receiving data and that the Latest Event is recent. If not, verify the FortiWeb Cloud Syslog settings are correct and that it can reach the Splunk server.