Hello,
I have a FortiGate 300e with FortiOS 6.0.4, and would like to index only the security events in Splunk.
Also, I want to use only the Fortigate Add-on for the parse of the logs.
I do not want to use the Fortigate APP because I will build my own dashboard. Is this possible?
Does anyone have experience with this?
Tks
Hi Burak,
For the Palo Alto Firewall I was able to do the indexing of the logs via Palo Alto Add-on only. I've used 3 files in the local directory, such as:
Inputs.conf
[udp: // 5514]
sourcetype = pan: log
no_appending_timestamp = true
index = pancompany_logs
Props.conf
[pan: log]
TRANSFORMS-drop = discard-traffic
Transforms.conf
[discard-traffic]
REGEX =, TRAFFIC,
DEST_KEY = queue
FORMAT = nullQueue
Help!!!
How do I configure the inputs, props and transforms in FortiGate Add-on?
I would like to drop traffic logs (ex.: type="traffic") and index only security logs (ex.: type="utm") from FortiGate.
Can you help me?
Tks
Did you get this working? I am working on this myself right now. Only want the utm logs but on top of this only specific fields within those logs.
UTM gets very sizable in our environment and we have a constraining license.
hi ,
you can deploy related TA to your indexer and heavy forwarder only, you don't need to deploy APP to search head or any splunk role if you don't want their dashboard.