Getting Data In

How to configure fortinet fortigate add on if using syslog server UF to get logs into indexer from fortigate analyzer?

Satyams14
Loves-to-Learn Lots

Hello All,

We have log flow from fortigate to splunk as follows:

Fortigate Analyzer> Syslog server with UF>Deployment server> SearchHead /Indexer.

Kindly suggest how can i get logs using fortinet add on over indexer? will i have to install fortinet add on app over syslog server UF as well? and what data source need to be selected over indexer.

Labels (2)
0 Karma

marnall
Motivator

It appears that the Fortinet FortiWeb Add-On receives the data from a UDP data input. The instructions on the Splunkbase page describe how to set a syslog log export configuration on FortiWeb.

You could install this app on your indexers or a heavy forwarder to receive the logs directly from your FortiWeb device(s), but it's generally better to have a separate syslog server to collect logs rather than rely on Splunk's udp input. Your current log pipeline looks good.

You could then install this app on your indexer tier so that the indexers perform index-time operations on the logs after receiving them from your syslog server.

This app can also go on your search head to provide macros, eventtypes, and other knowledge objects used for searching.

Because the app does not have any input configurations, it does not make sense to install it on a universal forwarder.

0 Karma
Get Updates on the Splunk Community!

Leveraging Detections from the Splunk Threat Research Team & Cisco Talos

  Now On Demand  Stay ahead of today’s evolving threats with the combined power of the Splunk Threat Research ...

New in Splunk Observability Cloud: Automated Archiving for Unused Metrics

Automated Archival is a new capability within Metrics Management; which is a robust usage & cost optimization ...

Calling All Security Pros: Ready to Race Through Boston?

Hey Splunkers, .conf25 is heading to Boston and we’re kicking things off with something bold, competitive, and ...