Hi, I have integrated Fortinet, In data collection I see logs but when I go to Log search I cannot see any logs
Does anyone know how to solve this? I have the same problem with Crowdstrike, SentinelOne and PaloAlto.
Thanks in advance
Hi Rembrandt,
When you see raw data hitting the collector and nothing in log search that is usually an indicator that the logs do not match our parser logic for that event source.
I took a look on the backend and I see your Fortinet Logs are in csv format, not the default KVP format which expect.
Here is an example log line for Fortinet Firewall logs (from our tests)
<189>date=2018-02-28 time=08:34:39 devname=RLF-FW-200D devid=FG200D3914807782 logid=0201009233 type=utm subtype=virus eventtype=analytics level=notice vd=root msg=“File submitted to Sandbox.” action=analytics service=“HTTP” sessionid=3587241 srcip=172.16.1.146 dstip=184.50.238.34 srcport=51417 dstport=80 srcintf=“port1” dstintf=“wan1” policyid=51 proto=6 direction=incoming filename=“25704376_b544d886acaae881422fc49223f7eb96a3c133f2.cab” url=“http://download.windowsupdate.com/c/msdownload/update/others/2017/10/25704376_b544d886acaae881422fc49223f7eb96a3c133f2.cab” profile=“default” user=“JHeysel” agent=“Windows-Update-Agent/10.0.10011.16384” virus=“clean” analyticscksum=“ab825e4736aa469342910eed7d58246b4e285b9f741a5660be44eb3d8452eea1” analyticssubmit=true
You can see the format of your logs by hitting the View Raw Logs button on the Data Collection page
As outlined in the docs here: Fortinet Firewall | InsightIDR Documentation
You need to run
set format default
As for your Crowdstrike event source, it appears this event source only received data once for a brief period in Oct 2020, so you will want to review the source responsible for sending these event to ensure it is configured correctly.
Lastly for your Palo Alto Event Source I took a look at it appears to be working as expected. And is sending logs to log search. One thing to note, this event source listens for System, Traffic and Threat events, so you will want to make sure each of these are enabled.
If you require further assistance please raise a support case and we can go into further detail.