topic How to configure Splunk forwarder to receive FortiGate logs? in Getting Data In

How to configure Splunk forwarder to receive FortiGate logs?

jejohnson — Tue, 05 Sep 2023 19:44:28 GMT

I have a Splunk universal forwarder installed. The Splunk Enterprise is seeing the forwarder, now I want to send network firewall logs to host forwarder to be sent to Enterprise platform.

Re: Configure Splunk forwarder to receive FortiGate logs.

gcusello — Tue, 05 Sep 2023 13:47:42 GMT

Hi @jejohnson,

Fortinet Fortigate sends its logs using syslog, so you have two choices:

use a Universal Forwarder with a syslog server (betyer solution),
Use an Heavy Forwarder (doesn't need a syslog server).

Using the first solutin you should configure a very little machine (also 2/4 CPUs and 4/8 GB RAM) with Linux and an rsyslog (or syslog-ng) server that writes the received syslogs in text files.

Then you can use the Universal Forwarder to read the files and send them to the Indexers.

In the UF, you have to install also the Fortinet Fortigate Add-On for Splunk (https://splunkbase.splunk.com/app/2846) to parse the logs.

This Add-On must also be installed on the Search Heads and eventually also on intermediate Heavy Forwarders (if present).

Plus:

This solution requires a less performant server and permits to write logs even if the Splunk UF is down.

Minus:

Requires manual configurations of the rsyslog and the UF.

The second solution, it's easier to configure because you can do everything bu GUI, but requires a more performant server (at least 8/12 CPUs and 8/12 GB RAM).

This solution is prefeable if you already have an Heavy Forwarder.

In the HF, you have to install also the Fortinet Fortigate Add-On for Splunk (https://splunkbase.splunk.com/app/2846) to parse the logs.

The Add-On must also be installed on the Search Heads and eventually also on intermediate Heavy Forwarders (if present).

Plus:

easier to implement.

Minus:

it requires a more performant server and doesn't ingest logs when Splunk is down.

In both the solutions, it's better to have two receivers and a Load Balancer to avoid a Single Point of Failure in case of maintenance or fail of the server-

Ciao.

Giuseppe

Re: Configure Splunk forwarder to receive FortiGate logs.

richgalloway — Tue, 05 Sep 2023 13:54:10 GMT

Install the FortGate add-on (https://splunkbase.splunk.com/app/2846) on your UF and your Splunk indexers and search head(s). That page will have installation instructions.

Re: How to configure Splunk forwarder to receive FortiGate logs?

Satyams14 — Mon, 15 Apr 2024 03:58:14 GMT

Hello @gcusello ,

I have the same scenerio in which i have architecture as follow:

Fortinet analyzer> syslog forwarder(UF installed on it)>Deployment server>search head/indexer

Could you confirm how we can install Fortinet add-on on UF?

Re: How to configure Splunk forwarder to receive FortiGate logs?

gcusello — Mon, 15 Apr 2024 06:52:59 GMT

Hi @Satyams14 ,

it isn't a good idea adding a new question, even if on the same topic, to another question because with a new question you could have a quicker and probably better answer.

Anyway, as I said in the previous answer, you have to install the Fortinet Add-On on the UF/HF that you're using to receive data and on the Search Heads.

As I said I hint to use a rsyslog receiver that writes the logs on files that you read using the UF.

Ciao.

Giuseppe