- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Guys,
Can i just check is it possible for me to direct ingest the Fortigate Fortinet logs in to my Splunk environment ?
Meaning without using Forwarder + syslog server (method), like the following guide for a standalone environment from fortinet :
https://www.fortinet.com/content/dam/fortinet/assets/alliances/Fortinet-Splunk-Deployment-Guide.pdf
My current environment setup are as follows :
1 x Search Head/Node Master role Server.
2 x Cluster Indexer Server.
If direct ingest method is possible in my environment, how should i go about configuring it to ensure both my indexer have a replicated copy of the data that was ingested from Fortinet ?
Thanks in advance!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
As per Splunk's best practice, for syslog data sources, its advised to setup a syslog server [ rsyslog/syslog-ng] for a production environment. This can be low spec server or a Virtual machine, based on the volume of data ingested. This then will send the logs using a UF to the indexer clusters in round robin. The Replication factor setting can be used to ensure a copy resides always on the origin and other indexer.
If for some reasons, this can not be done, then you can deply an app to both the Indexers in the cluster [with UDP port, should be higher than 1024 for non-root account used to run splunk]. The syslog can go to one of the indexers [ as you may need to provide a IP in the fortinet, unless you can have a DNS record which can round-robin the syslog to both the indexers] and in case of that indexer failure, you would need to manually change the IP on the fortinet to the other working indexers.. [ you may also have cluster issues to handle, when one node goes down in a 2 node cluster]. Make a note of all pros/cons and decide on the approach that suits your need.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
As per Splunk's best practice, for syslog data sources, its advised to setup a syslog server [ rsyslog/syslog-ng] for a production environment. This can be low spec server or a Virtual machine, based on the volume of data ingested. This then will send the logs using a UF to the indexer clusters in round robin. The Replication factor setting can be used to ensure a copy resides always on the origin and other indexer.
If for some reasons, this can not be done, then you can deply an app to both the Indexers in the cluster [with UDP port, should be higher than 1024 for non-root account used to run splunk]. The syslog can go to one of the indexers [ as you may need to provide a IP in the fortinet, unless you can have a DNS record which can round-robin the syslog to both the indexers] and in case of that indexer failure, you would need to manually change the IP on the fortinet to the other working indexers.. [ you may also have cluster issues to handle, when one node goes down in a 2 node cluster]. Make a note of all pros/cons and decide on the approach that suits your need.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the advice, appreciate that.
