I have setup a SC4S and it has been connected to splunk enterprise. Also I have forwarded the logs from fortigate firewall as syslogs via port 514. (I have verified that forti logs are this via tcpdump) From the Splunk I can see SC4S startup events as only sc4s events (source = sc4s , sourcetype = sc4s:events) which are ingested. Fortigate logs are not ingesting. following are the current configurations.(I have installed Fortigate app in splunk and it worked properly when I directly forward fortigate logs to splunk)
Created a data input(HEC) from Splunk(tested 2 but not worked),
1.
index=default
source type = default
2.
index=netops
source type = fgt_event
/opt/sc4s/env_file
SC4S_DEST_SPLUNK_HEC_DEFAULT_URL=http://192.168..3.46:8088
SC4S_DEST_SPLUNK_HEC_DEFAULT_TOKEN=4926fe93-4d91-409f-bf23-c6c67c0a880f
SC4S_DEST_SPLUNK_HEC_DEFAULT_TLS_VERIFY=no
splunk_metadata.csv
fortinet_fortios_event,index,netops
fortinet_fortios_event,source,fgt_event
How can I fix this issue? Appreciate your support on this. Thank You.