topic Re: Where should I install Fortinet Fortigate Add-On for Splunk? in Splunk Enterprise Security

Where should I install Fortinet Fortigate Add-On for Splunk?

bsuresh1 — Thu, 17 Oct 2019 09:36:05 GMT

Hi All,

We are using Splunk Cloud environment with One Adhoc Search Head and one Enterprise Security Search head.

We have On-prem Deployment server, one Heavy forwarder and one syslog server (also a heavy forwarder).

Fortigate firewall logs are being sent from devices ---> syslog server (HF) ---> Splunk cloud indexers

Currently, I have set index=firewall and sourcetype=fgt for Fortigate firewall logs.

To have the Fortigate firewall logs on Enterprise Security dashboard (For example in Intrusion Center), where the add-on should be installed and what changes to be made?

Currently the add-on (1.6.0 version) is installed on ES Search Head. Should this be uninstalled from here and installed somewhere else?

Re: Where should I install Fortinet Fortigate Add-On for Splunk?

bhavikbhalodia — Thu, 17 Oct 2019 10:24:04 GMT

Hi @bsuresh1

As per your requirement, you have to install Add-on on the Heavy Forwarder(HF). No need to uninstall Add-on from Search Head.

Re: Where should I install Fortinet Fortigate Add-On for Splunk?

neelamsantosh — Thu, 17 Oct 2019 10:26:45 GMT

As I have already placed the Fortigate AddOn on SH and u must be parsing the logs as expected.
Make sure the data models , event types and tags are in place.
Validate them first as ES mostly relies on them.

Re: Where should I install Fortinet Fortigate Add-On for Splunk?

bsuresh1 — Thu, 17 Oct 2019 10:47:14 GMT

So, should I install the Add-On on Syslog server (Heavy Forwarder)? What should be the sourcetype for fortigate logs and how the props apply?

I believe based on the sourcetype, the logs get pushed to ES data model

Re: Where should I install Fortinet Fortigate Add-On for Splunk?

jerryzhao — Thu, 17 Oct 2019 19:35:07 GMT

keep it on search head and install it on indexers as well.
syslog->splunk indexers(add-on)->ES searchhead(add-on)
when using customized index name and sourcetypes, please refer to the documentation on how to change those in configuration for the add-on.
https://splunkbase.splunk.com/app/2846/#/details

Re: Where should I install Fortinet Fortigate Add-On for Splunk?

bsuresh1 — Fri, 18 Oct 2019 09:24:50 GMT

We are using Splunk Cloud. So, couldn't install on indexers. Shoudl I install it on Syslog (HF) and ES Search Head?

Re: Where should I install Fortinet Fortigate Add-On for Splunk?

jerryzhao — Fri, 18 Oct 2019 17:32:31 GMT

even on cloud, you can ask splunk support to install it for you, right? I have seen other customers use add-on on cloud as well.

Re: Where should I install Fortinet Fortigate Add-On for Splunk?

bsuresh1 — Wed, 30 Sep 2020 02:34:44 GMT

Hi All,
I have installed Add-On on heavy Forwarder (syslog server), but the sourcetype transformation is not happening. All the data is coming in as fgt_log as I defined in inputs.conf.

Am I missing something?

Work done by me:
Installed Fortigate Add-On on Heavy Forwarder
Edited inputs.conf on different app (my_syslog_inputs_app): changed sourcetype from fgt to fgt_log. Decided to keep index as "firewall"

Re: Where should I install Fortinet Fortigate Add-On for Splunk?

SanjayM — Thu, 05 Dec 2024 08:31:38 GMT

Hi Jerry,

in that case where TA is installed on both Indexer and SH,
Where the data input and all configurations are to be configured- on SH right (for Splunk Cloud deployment)
below flow?

Data sources --> HF(Syslog server) (TA not required)--> Cloud indexer (with TA)--> Cloud SH(with TA)

I'd also suggest if you could update the add-on documentation to include clear details pls. That would help.

I have Splunk cloud with ITSI (not ES) and I want to test the Fortinet Add-on