https://community.splunk.com/t5/Deployment-Architecture/Fortinet-Fortigate-log-direct-ingest-into-Splunk/m-p/441119#M20935 <P>As per Splunk's best practice, for syslog data sources, its advised to setup a syslog server [ rsyslog/syslog-ng] for a production environment. This can be low spec server or a Virtual machine, based on the volume of data ingested. This then will send the logs using a UF to the indexer clusters in round robin. The Replication factor setting can be used to ensure a copy resides always on the origin and other indexer.</P> <P>If for some reasons, this can not be done, then you can deply an app to both the Indexers in the cluster [with UDP port, should be higher than 1024 for non-root account used to run splunk]. The syslog can go to one of the indexers [ as you may need to provide a IP in the fortinet, unless you can have a DNS record which can round-robin the syslog to both the indexers] and in case of that indexer failure, you would need to manually change the IP on the fortinet to the other working indexers.. [ you may also have cluster issues to handle, when one node goes down in a 2 node cluster]. Make a note of all pros/cons and decide on the approach that suits your need.</P> Tue, 07 May 2019 10:56:33 GMT lakshman239 2019-05-07T10:56:33Z https://community.splunk.com/t5/Deployment-Architecture/Fortinet-Fortigate-log-direct-ingest-into-Splunk/m-p/441118#M20934 <P>Hi Guys, </P> <P>Can i just check is it possible for me to direct ingest the Fortigate Fortinet logs in to my Splunk environment ?<BR /> Meaning without using Forwarder + syslog server (method), like the following guide for a standalone environment from fortinet :<BR /> <A href="https://www.fortinet.com/content/dam/fortinet/assets/alliances/Fortinet-Splunk-Deployment-Guide.pdf">https://www.fortinet.com/content/dam/fortinet/assets/alliances/Fortinet-Splunk-Deployment-Guide.pdf</A></P> <P>My current environment setup are as follows :<BR /> 1 x Search Head/Node Master role Server.<BR /> 2 x Cluster Indexer Server.</P> <P>If direct ingest method is possible in my environment, how should i go about configuring it to ensure both my indexer have a replicated copy of the data that was ingested from Fortinet ?</P> <P>Thanks in advance!</P> Tue, 07 May 2019 09:46:22 GMT https://community.splunk.com/t5/Deployment-Architecture/Fortinet-Fortigate-log-direct-ingest-into-Splunk/m-p/441118#M20934 christay 2019-05-07T09:46:22Z https://community.splunk.com/t5/Deployment-Architecture/Fortinet-Fortigate-log-direct-ingest-into-Splunk/m-p/441119#M20935 <P>As per Splunk's best practice, for syslog data sources, its advised to setup a syslog server [ rsyslog/syslog-ng] for a production environment. This can be low spec server or a Virtual machine, based on the volume of data ingested. This then will send the logs using a UF to the indexer clusters in round robin. The Replication factor setting can be used to ensure a copy resides always on the origin and other indexer.</P> <P>If for some reasons, this can not be done, then you can deply an app to both the Indexers in the cluster [with UDP port, should be higher than 1024 for non-root account used to run splunk]. The syslog can go to one of the indexers [ as you may need to provide a IP in the fortinet, unless you can have a DNS record which can round-robin the syslog to both the indexers] and in case of that indexer failure, you would need to manually change the IP on the fortinet to the other working indexers.. [ you may also have cluster issues to handle, when one node goes down in a 2 node cluster]. Make a note of all pros/cons and decide on the approach that suits your need.</P> Tue, 07 May 2019 10:56:33 GMT https://community.splunk.com/t5/Deployment-Architecture/Fortinet-Fortigate-log-direct-ingest-into-Splunk/m-p/441119#M20935 lakshman239 2019-05-07T10:56:33Z https://community.splunk.com/t5/Deployment-Architecture/Fortinet-Fortigate-log-direct-ingest-into-Splunk/m-p/441120#M20936 <P>Thanks for the advice, appreciate that. </P> Thu, 09 May 2019 02:58:10 GMT https://community.splunk.com/t5/Deployment-Architecture/Fortinet-Fortigate-log-direct-ingest-into-Splunk/m-p/441120#M20936 christay 2019-05-09T02:58:10Z