topic Re: Fortigate Firewall Syslog distinguish in Reporting

Fortigate Firewall Syslog distinguish

AtherAD — Fri, 24 May 2024 15:54:19 GMT

Hi,

i am forwarding fortigate firewalls syslogs to windows universal forwarder and this data is sent to splunk single search head, but the fortigate logs are appearing by there IP, i want to distinguish them by their hostname. I have created the file inputs.conf in c:/programfiles/splunkforwarder/etc/system/local and

i have put the following stanza into it

[udp://514}

sourcetype=firewall_logs

connection_host= 192.168.1.*, 192.168.1.* (fortigate IP's)

host= Both fortigate hostnames in comma seperated values

but the hostname is appearing under single hostname

Re: Fortigate Firewall Syslog distinguish

gcusello — Sat, 25 May 2024 04:33:21 GMT

Hi @AtherAD ,

the connection_host parametes is useful to define the way to associate the host (ip or dns), youcannot use it to assign an host.

In addition, you cannot assign multiple hostnames to an input but only one at a time (eventually using host, not connection_host).

You could try to use the connection_host parameter in your input as described at https://docs.splunk.com/Documentation/Splunk/9.2.1/Admin/Inputsconf#UDP_.28User_Datagram_Protocol_network_input.29 :

connection_host = [ip|dns|none] * "ip" sets the host to the IP address of the system sending the data. * "dns" sets the host to the reverse DNS entry for IP address of the system that sends the data. For this to work correctly, set the forward DNS lookup to match the reverse DNS lookup in your DNS configuration. * "none" leaves the host as specified in inputs.conf, typically the Splunk system hostname. * If the input is configured with a 'sourcetype' that has a transform that overrides the 'host' field e.g. 'sourcetype=syslog', that takes precedence over the host specified here. * Default: ip

in your case:

[udp://514} sourcetype = firewall_logs connection_host = dns disabled = 0 acceptFrom = 192.168.1.*, 192.168.1.*

Ciao.

Giuseppe

Re: Fortigate Firewall Syslog distinguish

PickleRick — Sat, 25 May 2024 15:21:30 GMT

As @gcusello already pointed out, your idea of configuring the input was wrong but let me add my three cents to this.

1) I'm not sure about fortigate logs but generally, if you have RFC-compliant syslogs TAs do extract the host entry from the event itself so the field value assigned by the input is overwritten during ingestion process

2) It's not a very good idea to read syslog events directly on a forwarder. For various reasons - performance, manageability, lack of network-level metadata. It's better to use an intermediate syslog daemon either sending to a HEC input or at least writing to files and reading those files with the forwarder. There are various options here. Most notably SC4S.

EDIT:

3) Oh, and you definitely don't want to set the sourcetype to "firewall_logs". If you're using a TA for Fortigate, use the proper sourcetype for this data as specified in the TA's docs.