Having trouble with my SC4S configurations for For...

Getting Data In

I have setup a SC4S and it has been connected to splunk enterprise. Also I have forwarded the logs from fortigate firewall as syslogs via port 514. (I have verified that forti logs are this via tcpdump) From the Splunk I can see SC4S startup events as only sc4s events (source = sc4s , sourcetype = sc4s:events) which are ingested. Fortigate logs are not ingesting. following are the current configurations.(I have installed Fortigate app in splunk and it worked properly when I directly forward fortigate logs to splunk)

Created a data input(HEC) from Splunk(tested 2 but not worked),

index=default

source type = default

index=netops

source type = fgt_event

/opt/sc4s/env_file

SC4S_DEST_SPLUNK_HEC_DEFAULT_URL=http://192.168..3.46:8088
SC4S_DEST_SPLUNK_HEC_DEFAULT_TOKEN=4926fe93-4d91-409f-bf23-c6c67c0a880f
SC4S_DEST_SPLUNK_HEC_DEFAULT_TLS_VERIFY=no

splunk_metadata.csv

fortinet_fortios_event,index,netops
fortinet_fortios_event,source,fgt_event

How can I fix this issue? Appreciate your support on this. Thank You.

Get Updates on the Splunk Community!

Having trouble with my SC4S configurations for Fortigate

HTTP Event Collector

syslog

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Join the Conversation