Getting Data In

SC4S TLS config for Fortigate logs

wayne333
Explorer

Hi,

I was recieving fortigate log just fine when i was using the below config in the env file.
SC4S_SOURCE_TLS_ENABLE=yes
SC4S_LISTEN_FORTINET_RFC6587_PORT=9XXX
SC4S_LISTEN_FORTINET_RFC5425_PORT=9XXX

After applying TLS on my other sources, for example it went from

SC4S_LISTEN_DELL_IDRAC_TCP_PORT=9XXX to SC4S_LISTEN_DELL_IDRAC_TLS_PORT=9XXX

and it worked just by replacing the protocol to TLS. 

However, it's not that straight forward for the FORTINET logs.  Anyone has encountered this situation before?

Appreciate the help. 😃

Labels (3)
0 Karma

Wander
Path Finder

FortiGate isn’t handled the same way as iDRAC in SC4S.

SC4S doesn’t have a Fortinet specific TLS listener, so swapping TCP to TLS in the env vars won’t actually do anything. Essentially, there is no SC4S_LISTEN_FORTINET_TLS_PORT, which is why your logs stopped showing up.

For Fortinet, you should enable TLS globally and the logs should be sent to the default TLS syslog listener, not a Fortinet-named port. The correct setup would be to enable TLS and configure a default TLS port, for example 6514 or whatever custom port you want to use. FortiGate then sends syslog over TLS to that port. Because you’re no longer using a Fortinet-specific listener, SC4S may not automatically tag the events as Fortinet based on port. The right way to handle that is to use source-based metadata overrides (by FortiGate IP or hostname) to force the correct sourcetype and index. That’s a pretty common when multiple vendors share the same TLS listener.

Also make sure the FortiGate side matches what SC4S is listening for. Fortinet TCP syslog often uses RFC6587 framing, and switching to TLS can change behavior depending on the options you pick. If the framing or mode doesn’t match, SC4S will accept the connection but not parse the data correctly.

0 Karma
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

From Data to Insight: Announcing the Winners of the Splunk Dashboard Contest

Hi Splunkers, First off, thank you to everyone who participated in our very first From Data to Insight: The ...

Splunk Developers: Construct Your Future at the .conf26 Builder Bar

Calling all Splunk architects, platform admins, and app developers: the site is open, and the blueprints are ...

Quick connection discovery mode for forwarders

When a Splunk forwarder loses connectivity to its indexers, it does not always reconnect immediately. In many ...