topic Re: sc4s index re-route in Getting Data In

sc4s index re-route

capjacksparo — Sun, 20 Apr 2025 16:54:50 GMT

Hi Folks,

New to Splunk and SC4S deploymenet. So far I have been able to make good progress. I have setup 2 SC4S servers one on linux and the other on windows with WSL. The challenge that I am facing is that all the syslogs are doing to the default indices. For example I see that the FW logs are going to netfw.

I am trying to move them to a new index that I have created- index_new.

I have tried editing the splunk_metadata.csv file but I still see the logs going to netfw. i have tried different configurations but nothing worked.

fortinet_fortigate,index, index_new

ftnt_fortigate, index,index_new

netfw,index,index_new

In the HEC configuration, I have not selected any index and left it blank. The default index is set to index_new

Thank you in advance.

PS: I have also tried the Maciek Stopa's posfilter.conf script as well.

Re: sc4s index re-route

livehybrid — Sun, 20 Apr 2025 09:22:47 GMT

To re-route logs to a different index in SC4S, you must correctly map the source type to your target index in the splunk_metadata.csv file. The format is:

key,index,value

Regarding the key names, you can see these at https://splunk.github.io/splunk-connect-for-syslog/1.91.5/sources/Fortinet/ which are:

key sourcetype default index

key	default index
fortinet_fortios_traffic	netfw
fortinet_fortios_utm	netfw
fortinet_fortios_event	netops
fortinet_fortios_log	netops

See below for more detail on the splunk_metadata.csv format:

The columns in this file are key, metadata, and value. To make a change using the override file, consult the example file (or the source documentation) for the proper key and modify and add rows in the table, specifying one or more of the following metadata/value pairs for a given key: key which refers to the vendor and product name of the data source, using the vendor_product convention. For overrides, these keys are listed in the example file. For new custom sources, be sure to choose a key that accurately reflects the vendor and product being configured and that matches the log path. index to specify an alternate value for index.

Check the docs for more info on the format

After editing splunk_metadata.csv, you must restart the SC4S container or service for changes to take effect.

🌟Did this answer help you? If so, please consider:

Adding karma to show it was useful
Marking it as the solution if it resolved your issue
Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

Re: sc4s index re-route

capjacksparo — Sun, 20 Apr 2025 22:29:44 GMT

Re: sc4s index re-route

capjacksparo — Sun, 20 Apr 2025 22:31:02 GMT

Thank you @livehybrid,

i edited the splunk_metadata.csv and removed the existing entires and added the below key,index,value and restarted the SC4S :

fortinet_fortios_traffic, index, index_new
fortinet_fortios_utm, index, index_new

That did not work either.

Am i still missing something here ? Also is there a way to change all (netfw,netops,oswin,osnix and so on) the default index to a new single index ?

Re: sc4s index re-route

livehybrid — Mon, 21 Apr 2025 15:25:03 GMT

Hi @capjacksparo

Please can you confirm where the splunk_metadata.csv is that you updated?

Im not sure its possible to overwrite the defaults - other than by using the splunk_metadata.csv file.

🌟 Did this answer help you? If so, please consider:

Adding karma to show it was useful
Marking it as the solution if it resolved your issue
Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

Re: sc4s index re-route

capjacksparo — Thu, 08 May 2025 13:26:18 GMT

@livehybrid , it is in /opt/sc4s/local/context folder.

Thanks