Not seeing logs in log search

Hi, I have integrated Fortinet, In data collection I see logs but when I go to Log search I cannot see any logs
Does anyone know how to solve this? I have the same problem with Crowdstrike, SentinelOne and PaloAlto.

Thanks in advance

Hi Rembrandt,

When you see raw data hitting the collector and nothing in log search that is usually an indicator that the logs do not match our parser logic for that event source.

I took a look on the backend and I see your Fortinet Logs are in csv format, not the default KVP format which expect.

Here is an example log line for Fortinet Firewall logs (from our tests)

<189>date=2018-02-28 time=08:34:39 devname=RLF-FW-200D devid=FG200D3914807782 logid=0201009233 type=utm subtype=virus eventtype=analytics level=notice vd=root msg=“File submitted to Sandbox.” action=analytics service=“HTTP” sessionid=3587241 srcip= dstip= srcport=51417 dstport=80 srcintf=“port1” dstintf=“wan1” policyid=51 proto=6 direction=incoming filename=“” url=“” profile=“default” user=“JHeysel” agent=“Windows-Update-Agent/10.0.10011.16384” virus=“clean” analyticscksum=“ab825e4736aa469342910eed7d58246b4e285b9f741a5660be44eb3d8452eea1” analyticssubmit=true

You can see the format of your logs by hitting the View Raw Logs button on the Data Collection page

As outlined in the docs here: Fortinet Firewall | InsightIDR Documentation

You need to run

set format default

As for your Crowdstrike event source, it appears this event source only received data once for a brief period in Oct 2020, so you will want to review the source responsible for sending these event to ensure it is configured correctly.

Lastly for your Palo Alto Event Source I took a look at it appears to be working as expected. And is sending logs to log search. One thing to note, this event source listens for System, Traffic and Threat events, so you will want to make sure each of these are enabled.

If you require further assistance please raise a support case and we can go into further detail.