All Apps and Add-ons

Is there any way of using the logs I'm already receiving through a Splunk forwarder in the Splunk App for Fortinet?

josefa
Path Finder

Hello there,

Is there any way of using the logs that I'm already receiving through Splunk forwarder, into the Fortinet App?

I have a central syslog where I receive Fortigate logs, and then send them to my indexer with the splunkforwarder:

My indexer $SPLUNK_HOME/etc/apps/search/local/inputs.conf has this configuration

[splunktcp://9997]
connection_host = ip

I guess in $SPLUNK_HOME/etc/apps/SplunkAppforFortinet/local/inputs.conf should go something like

[splunktcp://9997] 
index= fgt_logs 
connection_host = ip 
sourcetype = fgt_log

But then, how do I prevent everything that comes through the forwarders from going into the Fortinet application?
I want to first try the application, and if I feel is worth it, start using it, but I don't want to duplicate logs in my indexer.

Any help is appreciated

0 Karma
1 Solution

lguinn2
Legend

It is very common for apps to define inputs, sourcetypes and indexes. Don't the splunktcp stanza as you show in your question - that is not going to do what you want, whether you decide to use the app or not!

If you install the app, it will create an index called fgt_logs. However, if you decide to delete the app, you could keep the index simply by copying the stanza from indexes.conf into another location. There is nothing that would prevent you from using this index in any way you choose.

The Fortigate app also wants you to set up a UDP input to collect the firewall data, and give the UDP input the sourcetype of fgt_log. You must set up this input. Again, you could keep this input as-is by making sure that the input stanza existed in an inputs.conf file outside of the app. Even if you delete the input, that will only stop Splunk from collecting future data - the data that Splunk has already collected will remain.

You should not duplicate the UDP input; you should have only one UDP input. You will not have two copies of the logs. Splunk stores the indexes independently of the apps (although it does need the configuration in indexes.conf to find the index).

If you want to refer to the Fortinet logs using multiple sourcetypes, you can use sourcetype renaming. You will find it under Settings->Fields. This will give you 2 sourcetype names that both refer to a single copy of the data.

Finally, if you download the Fortinet app and untar it somewhere, you will find a README file that describes how to set up the inputs.

View solution in original post

lguinn2
Legend

It is very common for apps to define inputs, sourcetypes and indexes. Don't the splunktcp stanza as you show in your question - that is not going to do what you want, whether you decide to use the app or not!

If you install the app, it will create an index called fgt_logs. However, if you decide to delete the app, you could keep the index simply by copying the stanza from indexes.conf into another location. There is nothing that would prevent you from using this index in any way you choose.

The Fortigate app also wants you to set up a UDP input to collect the firewall data, and give the UDP input the sourcetype of fgt_log. You must set up this input. Again, you could keep this input as-is by making sure that the input stanza existed in an inputs.conf file outside of the app. Even if you delete the input, that will only stop Splunk from collecting future data - the data that Splunk has already collected will remain.

You should not duplicate the UDP input; you should have only one UDP input. You will not have two copies of the logs. Splunk stores the indexes independently of the apps (although it does need the configuration in indexes.conf to find the index).

If you want to refer to the Fortinet logs using multiple sourcetypes, you can use sourcetype renaming. You will find it under Settings->Fields. This will give you 2 sourcetype names that both refer to a single copy of the data.

Finally, if you download the Fortinet app and untar it somewhere, you will find a README file that describes how to set up the inputs.

josefa
Path Finder

Thank you lguinn for your reply, it cleared my mind.

I modify my inputs.conf file in the forwarder, so it will set the index and sourcetype as the Fortinet App needs them

[monitor:///fortinet.log]
index=fgt_logs
sourcetype=fgt_logs

I was getting confused on how to do use the app without crashing some self-build dashboards with data from the main index that I have, but then I just added something like

 index=main OR index=fgt_logs

to the searches and that worked

Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...