Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

SC4S TLS config for Fortigate logs

wayne333
Explorer
‎12-11-2025 11:05 PM

Hi,

I was recieving fortigate log just fine when i was using the below config in the env file.
SC4S_SOURCE_TLS_ENABLE=yes
SC4S_LISTEN_FORTINET_RFC6587_PORT=9XXX
SC4S_LISTEN_FORTINET_RFC5425_PORT=9XXX

After applying TLS on my other sources, for example it went from

SC4S_LISTEN_DELL_IDRAC_TCP_PORT=9XXX to SC4S_LISTEN_DELL_IDRAC_TLS_PORT=9XXX

and it worked just by replacing the protocol to TLS. 

However, it's not that straight forward for the FORTINET logs.  Anyone has encountered this situation before?

Appreciate the help. 😃

Labels (3)
0 Karma
Reply

Wander
Path Finder
‎12-17-2025 01:50 PM

FortiGate isn’t handled the same way as iDRAC in SC4S.

SC4S doesn’t have a Fortinet specific TLS listener, so swapping TCP to TLS in the env vars won’t actually do anything. Essentially, there is no SC4S_LISTEN_FORTINET_TLS_PORT, which is why your logs stopped showing up.

For Fortinet, you should enable TLS globally and the logs should be sent to the default TLS syslog listener, not a Fortinet-named port. The correct setup would be to enable TLS and configure a default TLS port, for example 6514 or whatever custom port you want to use. FortiGate then sends syslog over TLS to that port. Because you’re no longer using a Fortinet-specific listener, SC4S may not automatically tag the events as Fortinet based on port. The right way to handle that is to use source-based metadata overrides (by FortiGate IP or hostname) to force the correct sourcetype and index. That’s a pretty common when multiple vendors share the same TLS listener.

Also make sure the FortiGate side matches what SC4S is listening for. Fortinet TCP syslog often uses RFC6587 framing, and switching to TLS can change behavior depending on the options you pick. If the framing or mode doesn’t match, SC4S will accept the connection but not parse the data correctly.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...