Hi,

I am completely new to Splunk and I'm forwarding directly from FortiAnalyzer to Splunk on TCP1514. I have configured the FortiAnalyzer Remote Server Type = 'Syslog Pack'  the other options are 'Syslog' 'FortiAnalyzer' and 'Common Event Format'. But using the other options I didn't appear to see data arriving on Splunk.

I do see data arriving now, but other than the timestamp and the source IP of the FortiAnalyzer the data is not legible and looks like HEX. It appears that there is something wrong with Splunk interpreting the format of the data that is arriving from the FortiAnalyzer.

I'd be extremely grateful if someone could advise on whether there is a particular 'Source Type' that I should be using on the TCP Data Input for logs arriving from the FortiAnalyzer. Source type 'syslog' seemed the most obvious to me, but that didn't resolve the issue. I have tried a few others and haven't had any success so far.

Is anyone able advise on anything I may be doing incorrectly. Appreciate that it is not best practice to forward directly, but was hoping that this was possible, as we are trying to initially test Splunk with a view to potentially scaling up going forward.

Many thanks in advance.