How to configure fortinet fortigate add on if usin...

Satyams14 · ‎04-15-2024

Hello All,

We have log flow from fortigate to splunk as follows:

Fortigate Analyzer> Syslog server with UF>Deployment server> SearchHead /Indexer.

Kindly suggest how can i get logs using fortinet add on over indexer? will i have to install fortinet add on app over syslog server UF as well? and what data source need to be selected over indexer.

marnall · ‎04-15-2024

It appears that the Fortinet FortiWeb Add-On receives the data from a UDP data input. The instructions on the Splunkbase page describe how to set a syslog log export configuration on FortiWeb.

You could install this app on your indexers or a heavy forwarder to receive the logs directly from your FortiWeb device(s), but it's generally better to have a separate syslog server to collect logs rather than rely on Splunk's udp input. Your current log pipeline looks good.

You could then install this app on your indexer tier so that the indexers perform index-time operations on the logs after receiving them from your syslog server.

This app can also go on your search head to provide macros, eventtypes, and other knowledge objects used for searching.

Because the app does not have any input configurations, it does not make sense to install it on a universal forwarder.

How to configure fortinet fortigate add on if using syslog server UF to get logs into indexer from fortigate analyzer?

heavy forwarder

universal forwarder

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Agent Mode Engaged! Enchaining Agentic Operations with Splunk AI Assistant 2.0

Announcing Modern Navigation: A New Era of Splunk User Experience

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Join the Conversation