Solved: fortinet logs visibility

splunkcol · ‎12-15-2021

Hi all,

Currently I receive the logs from the fortinet source without problems, but what worries me is that there is a large consumption of licensing.

When I make a query I find that 94% of the logs that arrive are type "Notice"

Would it be a bad idea to ask the administrator not to send this type of log?

In case of blocking this type of log, what important information would you miss?

isoutamo · ‎12-16-2021

Hi

probably those with level notice are some audit trail etc. (like accepted connections and so on).

It's totally dependent are those needed on your organisation or not. If you are not needed those you could easily drop those away before indexing or try to ask that your network staff filltering those away before sending.

On splunk side (HF or IDX) you could also partially filtering those if some are needed and some not. Just look how this can do from docs or previous community answers.

r. Ismo

View solution in original post

isoutamo · ‎12-16-2021

Hi

probably those with level notice are some audit trail etc. (like accepted connections and so on).

It's totally dependent are those needed on your organisation or not. If you are not needed those you could easily drop those away before indexing or try to ask that your network staff filltering those away before sending.

On splunk side (HF or IDX) you could also partially filtering those if some are needed and some not. Just look how this can do from docs or previous community answers.

r. Ismo

fortinet logs visibility

dashboard

other

search

troubleshooting

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!