Empty dashboards

[mrojas73]

Hi, I was able to import it into Graylog v2.1.1 but the dashboards are empty. Also the name format is very long if I click on "Show received messages" under the input FortiGate Syslog UDP.

I am not sure where to start looking to correct the issue, any assistance would be appreciated.

Thank you.

[kuroboshi]

Have you always the same problem? Did you change the name of the fortinet on fortigate_content_pack.json ?

[Guruleenyc]

I too have the same problem. Imported JSON successfully, Imported Extractors successfully, Pointed Fortigate 5.2 to Input on UDP/30000. But dashboards are empty with data. Can someone help?

[kuroboshi]

I dont change the port syslog on my fortigate so he use udp/514. On json, i change the name and the port of input and it's working for me.

[kuroboshi]

The name of fortigate

[Guruleenyc]

Where in JSON do I change the name? Are you saying to edit the actual JSON file with a text editor? If so, what line?

[Guruleenyc]

I left it default and I am receiving Fortigate messages on the Input, but Dashboards are still empty.

"title" : "FortiGate Syslog UDP", "configuration" : { "override_source" : "", "allow_override_date" : true, "recv_buffer_size" : 262144, "bind_address" : "0.0.0.0", "port" : 30000

[Guruleenyc]

My Graylog Input, which the Content Pack creates, shows incoming messages with a source of . But I noticed the Dashboards are pre-configured with a search query looking for: source:fwf92d3g14000548. How do I fix this?

[kuroboshi]

The dashbord is empty because it's a name that's not your utm.

1) Delete all fortigate's dashbord and input 2) Open fortigate_content_pack.json with notepad and replace the source by the name of your fortigate and the port udp if you have change the udp/port on your utm. (Use notepad because the source name is use 20 times and udp port 2 times). 3) Import the pack and the extractors 4) Verify with fortigate's dashbord, the name of source.

[Guruleenyc]

@kuroboshi , Your steps seem to have resolved my issue. I will give it a few minutes for data to accumulate and populate dashboards. Not sure if a lack of data would cause this dashboard error I am seeing here: https://www.dropbox.com/s/si98td4j4dl8m00/graylog%20fortinet%20dashboard.jpg?dl=0 (when I hover over red alert icon, it states 'error loading widget, cannot get )

This is very good progress!

Thank you for the help so far!

[Guruleenyc]

I am seeing data in the dashboards now, but the Average Received Bytes/Average Sent Bytes widgets are displaying N/A with error loading indication in upper right. Looking at the widget query, it is looking for two fields I do not have in my Fortinet messages, type:traffic AND subytpe:forward. Is there a way to fix this? See this screen-shot: https://www.dropbox.com/s/xiw1x4y57zed1a9/graylog%20fortinet%20widget%20error.jpg?dl=0

[kuroboshi]

With the older version, it worked but with 2.2.3 version the doesn't work anymore. I don't know why.

I use the appliance and i don't upgrade but i use a new ova without the old data.

[Guruleenyc]

Thank you Kuroboshi! I hope this project gets more attention and updated to work with Graylog 2.2.3 and newer versions of Fortigate as it evolves. Beats the way more expensive solution to use Splunk.

[Guruleenyc]

After taking another look at the Average Received Bytes/Average Sent Bytes widgets Dashboard widgets loading error, I do have data for: <myfortigatesource> AND type:traffic AND subtype:forward I see 38,488 results in search for my count, not sure why it is not pulling into widget....