Deployment Architecture
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Fortinet Fortigate log direct ingest into Splunk

christay
New Member
‎05-07-2019 02:46 AM

Hi Guys,

Can i just check is it possible for me to direct ingest the Fortigate Fortinet logs in to my Splunk environment ?
Meaning without using Forwarder + syslog server (method), like the following guide for a standalone environment from fortinet :
https://www.fortinet.com/content/dam/fortinet/assets/alliances/Fortinet-Splunk-Deployment-Guide.pdf

My current environment setup are as follows :
1 x Search Head/Node Master role Server.
2 x Cluster Indexer Server.

If direct ingest method is possible in my environment, how should i go about configuring it to ensure both my indexer have a replicated copy of the data that was ingested from Fortinet ?

Thanks in advance!

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

lakshman239
Influencer
‎05-07-2019 03:56 AM

As per Splunk's best practice, for syslog data sources, its advised to setup a syslog server [ rsyslog/syslog-ng] for a production environment. This can be low spec server or a Virtual machine, based on the volume of data ingested. This then will send the logs using a UF to the indexer clusters in round robin. The Replication factor setting can be used to ensure a copy resides always on the origin and other indexer.

If for some reasons, this can not be done, then you can deply an app to both the Indexers in the cluster [with UDP port, should be higher than 1024 for non-root account used to run splunk]. The syslog can go to one of the indexers [ as you may need to provide a IP in the fortinet, unless you can have a DNS record which can round-robin the syslog to both the indexers] and in case of that indexer failure, you would need to manually change the IP on the fortinet to the other working indexers.. [ you may also have cluster issues to handle, when one node goes down in a 2 node cluster]. Make a note of all pros/cons and decide on the approach that suits your need.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

lakshman239
Influencer
‎05-07-2019 03:56 AM

As per Splunk's best practice, for syslog data sources, its advised to setup a syslog server [ rsyslog/syslog-ng] for a production environment. This can be low spec server or a Virtual machine, based on the volume of data ingested. This then will send the logs using a UF to the indexer clusters in round robin. The Replication factor setting can be used to ensure a copy resides always on the origin and other indexer.

If for some reasons, this can not be done, then you can deply an app to both the Indexers in the cluster [with UDP port, should be higher than 1024 for non-root account used to run splunk]. The syslog can go to one of the indexers [ as you may need to provide a IP in the fortinet, unless you can have a DNS record which can round-robin the syslog to both the indexers] and in case of that indexer failure, you would need to manually change the IP on the fortinet to the other working indexers.. [ you may also have cluster issues to handle, when one node goes down in a 2 node cluster]. Make a note of all pros/cons and decide on the approach that suits your need.

0 Karma
Reply
Solved! Jump to solution

christay
New Member
‎05-08-2019 07:58 PM

Thanks for the advice, appreciate that.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...