How to configure fortinet fortigate add on if usin...

Satyams14 · ‎04-15-2024

Hello All,

We have log flow from fortigate to splunk as follows:

Fortigate Analyzer> Syslog server with UF>Deployment server> SearchHead /Indexer.

Kindly suggest how can i get logs using fortinet add on over indexer? will i have to install fortinet add on app over syslog server UF as well? and what data source need to be selected over indexer.

marnall · ‎04-15-2024

It appears that the Fortinet FortiWeb Add-On receives the data from a UDP data input. The instructions on the Splunkbase page describe how to set a syslog log export configuration on FortiWeb.

You could install this app on your indexers or a heavy forwarder to receive the logs directly from your FortiWeb device(s), but it's generally better to have a separate syslog server to collect logs rather than rely on Splunk's udp input. Your current log pipeline looks good.

You could then install this app on your indexer tier so that the indexers perform index-time operations on the logs after receiving them from your syslog server.

This app can also go on your search head to provide macros, eventtypes, and other knowledge objects used for searching.

Because the app does not have any input configurations, it does not make sense to install it on a universal forwarder.

How to configure fortinet fortigate add on if using syslog server UF to get logs into indexer from fortigate analyzer?

heavy forwarder

universal forwarder

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Join the Conversation