Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

SC4S TLS config for Fortigate logs

wayne333
Explorer
2 weeks ago

Hi,

I was recieving fortigate log just fine when i was using the below config in the env file.
SC4S_SOURCE_TLS_ENABLE=yes
SC4S_LISTEN_FORTINET_RFC6587_PORT=9XXX
SC4S_LISTEN_FORTINET_RFC5425_PORT=9XXX

After applying TLS on my other sources, for example it went from

SC4S_LISTEN_DELL_IDRAC_TCP_PORT=9XXX to SC4S_LISTEN_DELL_IDRAC_TLS_PORT=9XXX

and it worked just by replacing the protocol to TLS. 

However, it's not that straight forward for the FORTINET logs.  Anyone has encountered this situation before?

Appreciate the help. 😃

Labels (3)
0 Karma
Reply

Wander
Explorer
a week ago

FortiGate isn’t handled the same way as iDRAC in SC4S.

SC4S doesn’t have a Fortinet specific TLS listener, so swapping TCP to TLS in the env vars won’t actually do anything. Essentially, there is no SC4S_LISTEN_FORTINET_TLS_PORT, which is why your logs stopped showing up.

For Fortinet, you should enable TLS globally and the logs should be sent to the default TLS syslog listener, not a Fortinet-named port. The correct setup would be to enable TLS and configure a default TLS port, for example 6514 or whatever custom port you want to use. FortiGate then sends syslog over TLS to that port. Because you’re no longer using a Fortinet-specific listener, SC4S may not automatically tag the events as Fortinet based on port. The right way to handle that is to use source-based metadata overrides (by FortiGate IP or hostname) to force the correct sourcetype and index. That’s a pretty common when multiple vendors share the same TLS listener.

Also make sure the FortiGate side matches what SC4S is listening for. Fortinet TCP syslog often uses RFC6587 framing, and switching to TLS can change behavior depending on the options you pick. If the framing or mode doesn’t match, SC4S will accept the connection but not parse the data correctly.

0 Karma
Reply
Get Updates on the Splunk Community!

Data Management Digest – December 2025

Welcome to the December edition of Data Management Digest! As we continue our journey of data innovation, the ...

Index This | What is broken 80% of the time by February?

December 2025 Edition   Hayyy Splunk Education Enthusiasts and the Eternally Curious!    We’re back with this ...

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Hello Splunk Community,   We're thrilled to share an exciting update that will help you manage your data more ...