Deployment Architecture
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Ingest fortigate logs to splunk

dikaaditsa
Loves-to-Learn Lots
‎09-19-2024 03:37 AM

Hi All, 

I already configure ingestion log from fortigate using syslog , the log send using UDP by port 514. 

I also setup data inputs in splunk enterprise to recieve the data from port 514. 

When I perform tcp dump from splunk vm , the data successfully flowing from fortigate to splunk vm, but when I search the data from splunk web, there is no data appear. 

Currently I ingest the data to 1 indexer, and search the data from another search head. 

Please give me an advise to solve my issue. 

 

Thankyou

Labels (1)
Labels
0 Karma
Reply

jawahir007
Communicator
‎09-19-2024 03:53 AM

- Check in OS firewall the port is enabled.

- Check correct sourcetype is configured 

- Try to search the data in indexer itself to verify its not a connectivity issue between search head and indexer

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎09-19-2024 03:49 AM

Hi @dikaaditsa ,

which index did you configured in your input, that you're using in search?

did you installed the Fortinat Fortigate Add-On for Splunk (https://splunkbase.splunk.com/app/2846) to have a correct parsing?

At least, it isn't a best practice to use Splunk to receive syslogs.

The best approach is to configure a syslog receiver (e.g. rsyslog or syslog-ng) that writes logs on disk and then use Splunk to read these files.

In this way, your syslog input will be active even if Splunk is down and in addition gives less overload on the system avoiding queues.

Does your distributed search (you have one SH and one IDX) correctly run? in other words, are other searches correctly executed?

Ciao.

Giuseppe

0 Karma
Reply

dikaaditsa
Loves-to-Learn Lots
‎09-19-2024 09:02 PM

Hi @gcusello 

Thankyou for your answer, I did not install any add ons for fortinet. 
sure, I have 1 SH and 2 indexer actualy but I only ingest the log to 1 indexer. The others log from another service are ingest correctly and can be search in SH. 

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎09-20-2024 01:37 AM

OK. This approach is wrong on many levels.

1. Receiving syslog directly on an indexer (or HF or UF) causes data loss whenever you need to restart that Splunk component.

2. When you're receiving syslog directly on Splunk, you lose at least some of the network-level metadata and you can't use that information to - for example - route events to different indexes or assign them different sourcetypes. Because of that you need to open multiple ports for separate types of sources. Which uses up resources and complicates the setup.

3. In order to receive syslog on a low port (514) Splunk would have to run as root. This is something you should _not_ be doing. Are you sure that input has even opened that port?

4. If you have two indexers (clustered or standalone?) and receive on only one of them, you're asking for data asymmetry.

 

0 Karma
Reply

dikaaditsa
Loves-to-Learn Lots
‎09-20-2024 01:44 AM

Dear @PickleRick 

I follow using this step https://www.fortinet.com/content/dam/fortinet/assets/alliances/Fortinet-Splunk-Deployment-Guide.pdf but there's not solve the issue.

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎09-20-2024 03:49 AM

Unfortunately, third-party addons and their manuals are often... how to say it gently... not written in the best way possible. They are written by people who might be proficient with their respective solutions but not necessarily knowledgeable in Splunk.

The advised way to get syslog data to Splunk is still using an external syslog daemon which will either write the data to files from which you'll pick up the events with UF and monitor input or which will send the data to Splunk's HEC input.

For a small-scale test environment sending directly to Splunk might be relatively OK (when you don't mind the cons of such setup) but you need to create your udp or tcp inputs on high ports (over 1024) when not running Splunk as root.

0 Karma
Reply

dikaaditsa
Loves-to-Learn Lots
‎09-20-2024 01:41 AM

Dear @PickleRick 

Thankyou for your correction , do you have any sugestion or best practice for me ?

 

Regards,

Dika

0 Karma
Reply

dikaaditsa
Loves-to-Learn Lots
‎09-20-2024 01:26 AM

I found notfication :

0 Karma
Reply

dikaaditsa
Loves-to-Learn Lots
‎09-19-2024 09:04 PM

I did not write the logs into the file because lack of resource. 

0 Karma
Reply

dikaaditsa
Loves-to-Learn Lots
‎09-19-2024 09:05 PM

Is there any step or checklist for me to first step check or tshoot regarding this, I just currious why the logs is stop ingesting to splunk because previously I don’t have any issue using this way. 

0 Karma
Reply
Get Updates on the Splunk Community!

Mastering Data Pipelines: Unlocking Value with Splunk

 In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...

The Latest Cisco Integrations With Splunk Platform!

Join us for an exciting tech talk where we’ll explore the latest integrations in Cisco + Splunk! We’ve ...

AI Adoption Hub Launch | Curated Resources to Get Started with AI in Splunk

Hey Splunk Practitioners and AI Enthusiasts! It’s no secret (or surprise) that AI is at the forefront of ...
Top