Getting Data In

Having trouble with my SC4S configurations for Fortigate

DilankaMADM
New Member

I have setup a SC4S and it has been connected to splunk enterprise. Also I have forwarded the logs from fortigate firewall as syslogs via port 514. (I have verified that forti logs are  this via tcpdump) From the Splunk I can see SC4S startup events as only sc4s events (source = sc4s , sourcetype = sc4s:events) which are ingested. Fortigate logs are not ingesting.  following are the current configurations.(I have installed Fortigate app in splunk and it worked properly when I directly forward fortigate logs to splunk)

Created a data input(HEC) from Splunk(tested 2 but not worked),

1.

index=default

source type = default

 

2.

index=netops

source type = fgt_event

 

/opt/sc4s/env_file

SC4S_DEST_SPLUNK_HEC_DEFAULT_URL=http://192.168..3.46:8088
SC4S_DEST_SPLUNK_HEC_DEFAULT_TOKEN=4926fe93-4d91-409f-bf23-c6c67c0a880f
SC4S_DEST_SPLUNK_HEC_DEFAULT_TLS_VERIFY=no

 

splunk_metadata.csv

fortinet_fortios_event,index,netops
fortinet_fortios_event,source,fgt_event

 

How can I fix this issue? Appreciate your support on this. Thank You.

 

 

 

 

Labels (2)
0 Karma
Get Updates on the Splunk Community!

Industry Solutions for Supply Chain and OT, Amazon Use Cases, Plus More New Articles ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...

Index This | Divide 100 by half. What do you get?

November 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...