How to configure fortinet fortigate add on if usin...

Satyams14 · ‎04-15-2024

Hello All,

We have log flow from fortigate to splunk as follows:

Fortigate Analyzer> Syslog server with UF>Deployment server> SearchHead /Indexer.

Kindly suggest how can i get logs using fortinet add on over indexer? will i have to install fortinet add on app over syslog server UF as well? and what data source need to be selected over indexer.

marnall · ‎04-15-2024

It appears that the Fortinet FortiWeb Add-On receives the data from a UDP data input. The instructions on the Splunkbase page describe how to set a syslog log export configuration on FortiWeb.

You could install this app on your indexers or a heavy forwarder to receive the logs directly from your FortiWeb device(s), but it's generally better to have a separate syslog server to collect logs rather than rely on Splunk's udp input. Your current log pipeline looks good.

You could then install this app on your indexer tier so that the indexers perform index-time operations on the logs after receiving them from your syslog server.

This app can also go on your search head to provide macros, eventtypes, and other knowledge objects used for searching.

Because the app does not have any input configurations, it does not make sense to install it on a universal forwarder.

How to configure fortinet fortigate add on if using syslog server UF to get logs into indexer from fortigate analyzer?

heavy forwarder

universal forwarder

Leveraging Detections from the Splunk Threat Research Team & Cisco Talos

New in Splunk Observability Cloud: Automated Archiving for Unused Metrics

Calling All Security Pros: Ready to Race Through Boston?

Are you a member of the Splunk Community?