Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

SC4S TLS config for Fortigate logs

wayne333
Explorer
‎12-11-2025 11:05 PM

Hi,

I was recieving fortigate log just fine when i was using the below config in the env file.
SC4S_SOURCE_TLS_ENABLE=yes
SC4S_LISTEN_FORTINET_RFC6587_PORT=9XXX
SC4S_LISTEN_FORTINET_RFC5425_PORT=9XXX

After applying TLS on my other sources, for example it went from

SC4S_LISTEN_DELL_IDRAC_TCP_PORT=9XXX to SC4S_LISTEN_DELL_IDRAC_TLS_PORT=9XXX

and it worked just by replacing the protocol to TLS. 

However, it's not that straight forward for the FORTINET logs.  Anyone has encountered this situation before?

Appreciate the help. 😃

Labels (3)
0 Karma
Reply

Wander
Path Finder
‎12-17-2025 01:50 PM

FortiGate isn’t handled the same way as iDRAC in SC4S.

SC4S doesn’t have a Fortinet specific TLS listener, so swapping TCP to TLS in the env vars won’t actually do anything. Essentially, there is no SC4S_LISTEN_FORTINET_TLS_PORT, which is why your logs stopped showing up.

For Fortinet, you should enable TLS globally and the logs should be sent to the default TLS syslog listener, not a Fortinet-named port. The correct setup would be to enable TLS and configure a default TLS port, for example 6514 or whatever custom port you want to use. FortiGate then sends syslog over TLS to that port. Because you’re no longer using a Fortinet-specific listener, SC4S may not automatically tag the events as Fortinet based on port. The right way to handle that is to use source-based metadata overrides (by FortiGate IP or hostname) to force the correct sourcetype and index. That’s a pretty common when multiple vendors share the same TLS listener.

Also make sure the FortiGate side matches what SC4S is listening for. Fortinet TCP syslog often uses RFC6587 framing, and switching to TLS can change behavior depending on the options you pick. If the framing or mode doesn’t match, SC4S will accept the connection but not parse the data correctly.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...