Fortinet black logo

User Guide

FortiWeb Cloud and Splunk

Copy Link
Copy Doc ID 8d4237ec-c163-11ee-8c42-fa163e15d75b:171046
Download PDF

FortiWeb Cloud and Splunk

About Splunk

Splunk Inc. (NASDAQ: SPLK) is the market leader in analyzing machine data to deliver Operational Intelligence for security, IT and the business. Splunk® software provides the enterprise machine data fabric that drives digital transformation. Splunk Enterprise makes it simple to collect, analyze and act upon the untapped value of the big data generated by your technology infrastructure, security systems and business applications—giving you the insights to drive operational performance and business results.

FortiWeb Cloud App for Splunk

The Fortinet FortiWeb Cloud App provides real-time and historical dashboard on threats, performance metrics and audit information for FortiWeb Cloud.

With the massive set of logs and big data aggregation through Splunk, the FortiWeb Cloud App for Splunk is certified with pre-defined threat monitoring and performance indicators that help guide network security . As the de facto trending dashboard for many enterprises or service providers, IT administrators can also modify the regular expression query to custom fit views for advanced security reporting and compliance mandates.
FortiWeb Cloud App for Splunk: https://splunkbase.splunk.com/app/4627/

note icon

Fortinet FortiWeb Cloud App depends on the Add-on to work properly. Make sure Fortinet FortiWeb Cloud Add-on for Splunk has been installed before you proceed.

FortiWeb Cloud Add-on for Splunk

Fortinet FortiWeb Cloud Add-On for Splunk is the technical add-on (TA) developed by Fortinet, Inc. The add-on enables Splunk Enterprise to ingest or map security and audit data collected from FortiWeb Cloud, which includes attack and audit logs.

Fortinet FortiWebCloud Add-on for Splunk: https://splunkbase.splunk.com/app/4626/

Deployment prerequisites

  1. Splunk version 8.1.0 or later
  2. FortiWeb Cloud Add-On for Splunk (https://splunkbase.splunk.com/app/4626)
  3. FortiWeb Cloud App for Splunk (https://splunkbase.splunk.com/app/4627)
  4. A Splunk.com username and password

Splunk configuration

  1. Click the gear (Manage Apps) from Splunk Enterprise.
  2. Click Browse more apps, and search for FortiWebCloud.
  3. Install Fortinet FortiWebCloud Add-on for Splunk.
  4. Install Fortinet FortiWebCloud App for Splunk .

    Note: If the Fortinet FortiWebCloud App for Splunk and Fortinet FortiWebCloud Add-on for Splunk cannot be installed from Browse more apps, please go to Splunkbase, download the Add-on and App (two .tgz files), then install them by clicking the gear (Manage Apps) > Install app from file

  5. Restart Splunk Enterprise.
  6. From Settings, click Data Inputs under Data.
  7. Click Add new in the UDP or TCP line to create a new input rule with corresponding protocol. See the UDP protocol example below.
  8. Create a UDP data source. In the example below, we have used Port 514. Afterwards, click Next.

  9. For Source type, click the Select tab then click Select Source Type. Enter "fwbcld" in the filter box, and select fwbcld_log.
    By default, Fortinet FortiWebCloud App for Splunk will automatically extract FortiWebCloud log data from inputs with source type 'fwbcld_log'.
  10. For App context, select Fortinet FortiWebCloud App for Splunk .
  11. Click Review to check the items.
  12. Click Submit.

FortiWeb Cloud configuration

Configure FortiWeb Cloud to send logs to Splunk server.

Attack logs
  1. Go to Log Settings, enable Attack Log Export.
  2. Click Add Log Server.
  3. Configure the server and export options. See Exporting attack logs for details.
    For Log Format, select Splunk.

Audit logs
  1. Go to Global > System Settings > Settings.
  2. Enable Audit Logs Export.
  3. Configure these settings. See Audit logs for details.
    For Log Format, select Splunk.

Logs verification on Splunk server

To verify whether logs have been received by Splunk server

  1. On Splunk web UI, go to Apps > Search & Reporting.
  2. If attack logs have been sent to Splunk, enter 'sourcetype="fwbcld_attack"' in the search box. Change the time range if necessary. The attack logs will be listed below.
  3. If audit logs have been sent to Splunk, enter 'sourcetype="fwbcld_event"' in the search box. Change the time range if necessary. The audit logs will be listed below.
  4. Go to the dashboard of Fortinet FortiWebCloud App for Splunk , from the Security Overview, Attack, and Event tabs, you can see data parsed and presented.

Troubleshooting

If data is not showing up in the Dashboards:

  • Go to Settings > Data Inputs. Verify that you have a UDP data input enabled on port ,for example, 514.
  • Go to Settings > Indexes. Verify that your Index (typically main) is receiving data and that the Latest Event is recent. If not, verify the FortiWeb Cloud Syslog settings are correct and that it can reach the Splunk server.
  • Verify that the port used for data input is accessible in your security group of the Splunk server.
  • Ensure that the FortiWeb Cloud service Management IP addresses are in the white list of your Splunk server.
  • Verify the Splunk server is listening to the correct port.

If the App and Add-on cannot be installed from Browse more:

  • Go to Splunkbase, download the Add-on and App (two .tgz files), then install them by clicking the gear (Manage Apps) > Install app from file.

If the dropdown in Attack or Event dashboards does not have value:

  1. Go to Settings > Data models

  2. Find FortiWebCloud FOS Log, click Edit > Edit Acceleration

  3. Enable Accelerate, then wait for 5 mins or restart Splunk. You will see the dropdown in App.

FortiWeb Cloud and Splunk

About Splunk

Splunk Inc. (NASDAQ: SPLK) is the market leader in analyzing machine data to deliver Operational Intelligence for security, IT and the business. Splunk® software provides the enterprise machine data fabric that drives digital transformation. Splunk Enterprise makes it simple to collect, analyze and act upon the untapped value of the big data generated by your technology infrastructure, security systems and business applications—giving you the insights to drive operational performance and business results.

FortiWeb Cloud App for Splunk

The Fortinet FortiWeb Cloud App provides real-time and historical dashboard on threats, performance metrics and audit information for FortiWeb Cloud.

With the massive set of logs and big data aggregation through Splunk, the FortiWeb Cloud App for Splunk is certified with pre-defined threat monitoring and performance indicators that help guide network security . As the de facto trending dashboard for many enterprises or service providers, IT administrators can also modify the regular expression query to custom fit views for advanced security reporting and compliance mandates.
FortiWeb Cloud App for Splunk: https://splunkbase.splunk.com/app/4627/

note icon

Fortinet FortiWeb Cloud App depends on the Add-on to work properly. Make sure Fortinet FortiWeb Cloud Add-on for Splunk has been installed before you proceed.

FortiWeb Cloud Add-on for Splunk

Fortinet FortiWeb Cloud Add-On for Splunk is the technical add-on (TA) developed by Fortinet, Inc. The add-on enables Splunk Enterprise to ingest or map security and audit data collected from FortiWeb Cloud, which includes attack and audit logs.

Fortinet FortiWebCloud Add-on for Splunk: https://splunkbase.splunk.com/app/4626/

Deployment prerequisites

  1. Splunk version 8.1.0 or later
  2. FortiWeb Cloud Add-On for Splunk (https://splunkbase.splunk.com/app/4626)
  3. FortiWeb Cloud App for Splunk (https://splunkbase.splunk.com/app/4627)
  4. A Splunk.com username and password

Splunk configuration

  1. Click the gear (Manage Apps) from Splunk Enterprise.
  2. Click Browse more apps, and search for FortiWebCloud.
  3. Install Fortinet FortiWebCloud Add-on for Splunk.
  4. Install Fortinet FortiWebCloud App for Splunk .

    Note: If the Fortinet FortiWebCloud App for Splunk and Fortinet FortiWebCloud Add-on for Splunk cannot be installed from Browse more apps, please go to Splunkbase, download the Add-on and App (two .tgz files), then install them by clicking the gear (Manage Apps) > Install app from file

  5. Restart Splunk Enterprise.
  6. From Settings, click Data Inputs under Data.
  7. Click Add new in the UDP or TCP line to create a new input rule with corresponding protocol. See the UDP protocol example below.
  8. Create a UDP data source. In the example below, we have used Port 514. Afterwards, click Next.

  9. For Source type, click the Select tab then click Select Source Type. Enter "fwbcld" in the filter box, and select fwbcld_log.
    By default, Fortinet FortiWebCloud App for Splunk will automatically extract FortiWebCloud log data from inputs with source type 'fwbcld_log'.
  10. For App context, select Fortinet FortiWebCloud App for Splunk .
  11. Click Review to check the items.
  12. Click Submit.

FortiWeb Cloud configuration

Configure FortiWeb Cloud to send logs to Splunk server.

Attack logs
  1. Go to Log Settings, enable Attack Log Export.
  2. Click Add Log Server.
  3. Configure the server and export options. See Exporting attack logs for details.
    For Log Format, select Splunk.

Audit logs
  1. Go to Global > System Settings > Settings.
  2. Enable Audit Logs Export.
  3. Configure these settings. See Audit logs for details.
    For Log Format, select Splunk.

Logs verification on Splunk server

To verify whether logs have been received by Splunk server

  1. On Splunk web UI, go to Apps > Search & Reporting.
  2. If attack logs have been sent to Splunk, enter 'sourcetype="fwbcld_attack"' in the search box. Change the time range if necessary. The attack logs will be listed below.
  3. If audit logs have been sent to Splunk, enter 'sourcetype="fwbcld_event"' in the search box. Change the time range if necessary. The audit logs will be listed below.
  4. Go to the dashboard of Fortinet FortiWebCloud App for Splunk , from the Security Overview, Attack, and Event tabs, you can see data parsed and presented.

Troubleshooting

If data is not showing up in the Dashboards:

  • Go to Settings > Data Inputs. Verify that you have a UDP data input enabled on port ,for example, 514.
  • Go to Settings > Indexes. Verify that your Index (typically main) is receiving data and that the Latest Event is recent. If not, verify the FortiWeb Cloud Syslog settings are correct and that it can reach the Splunk server.
  • Verify that the port used for data input is accessible in your security group of the Splunk server.
  • Ensure that the FortiWeb Cloud service Management IP addresses are in the white list of your Splunk server.
  • Verify the Splunk server is listening to the correct port.

If the App and Add-on cannot be installed from Browse more:

  • Go to Splunkbase, download the Add-on and App (two .tgz files), then install them by clicking the gear (Manage Apps) > Install app from file.

If the dropdown in Attack or Event dashboards does not have value:

  1. Go to Settings > Data models

  2. Find FortiWebCloud FOS Log, click Edit > Edit Acceleration

  3. Enable Accelerate, then wait for 5 mins or restart Splunk. You will see the dropdown in App.