Splunk Connect For Syslog - Since Upgrade From 1.x to 2.29.0, why are Fortigate Events not forwarding correctly?

beano501 — Mon, 06 Jun 2022 20:55:19 GMT

I have the following line in my splunk_metadata.csv to forward forcepoint proxy logs to the index called proxy_forcepoint. This worked when running the latest 1.x release.

Post upgrade, some of the events still go into the index above (these have the sc4s_vendor_product field set to forcepoint), whereas other events are delivered to the lastchanceindex (these to not have a field sc4s_vendor_product)

Looking in app-syslog-forcepoint_webprotect.conf (from the source from 2.29 source), Forcepoint messages are recognised by "vendor=Forcepoint" (which all messages have), and if Product is "Security" (which all messages have) - then the rewrite rule should set "product("webprotect")".

So I cannot see what is obviously wrong in the configuration or events, or how to investigate the events to set the line in splunk_metadata.csv appropriately to get the routing to happen as I wish

All help appreciated

Re: Splunk Connect For Syslog - Since Upgrade From 1.x to 2.29.0 Fortigate Events not all forwarding correctly.

Random_Walk — Thu, 02 Jun 2022 07:26:46 GMT

> I have the following line in my splunk_metadata.csv

I don't see any line there sir.

Re: Splunk Connect For Syslog - Since Upgrade From 1.x to 2.29.0 Fortigate Events not all forwarding correctly.

beano501 — Mon, 06 Jun 2022 08:08:31 GMT

Doh 😞

forcepoint_webprotect,index,proxy_forcepoint

topic Re: Splunk Connect For Syslog - Since Upgrade From 1.x to 2.29.0 Fortigate Events not all forwarding correctly. in Getting Data In

Splunk Connect For Syslog - Since Upgrade From 1.x to 2.29.0, why are Fortigate Events not forwarding correctly?

Re: Splunk Connect For Syslog - Since Upgrade From 1.x to 2.29.0 Fortigate Events not all forwarding correctly.

Re: Splunk Connect For Syslog - Since Upgrade From 1.x to 2.29.0 Fortigate Events not all forwarding correctly.