Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

SC4S postfilter not dropping Fortigate east-west traffic (syslog-ng rewrite/appmodel errors)

loganallen
Loves-to-Learn
yesterday

I am trying to implement a postfilter in Splunk Connect for Syslog to drop east-west (internal-to-internal) Fortigate traffic before it reaches Splunk, specifically Fortinet FortiOS traffic logs where both srcip and dstip fall within ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16).

 

My current configuration uses a sc4s-postfilter application with a filter matching on sc4s_vendor=fortinet, sc4s_product=fortios, and the traffic fields, and then attempts to drop events using rewrite(r_set_dest_splunk_null_queue) inside a block parser that is invoked by the application.

However, I am running into two problems: when using the rewrite inside a block parser I get syslog-ng appmodel parsing errors such as “unexpected KW_REWRITE”, causing the container to crash or restart, and when I adjust the syntax so that SC4S starts cleanly, the filter appears to run but no events are actually dropped and the Fortigate traffic still shows up in Splunk unchanged.

I have confirmed that SC4S is running in Docker, syslog-ng configuration passes validation, Fortigate logs are being parsed correctly with srcip/dstip present, and ingestion into Splunk via HEC is working normally, so the issue appears to be specifically with how the postfilter is structured or executed.

I am unsure whether r_set_dest_splunk_null_queue is still the correct method for dropping events, whether block parser + channel is still valid in modern SC4S versions, or how to properly verify that a postfilter is actually being executed, so I am looking for guidance or a working example of how to correctly implement east-west traffic suppression in SC4S.

block parser fortigate_drop_eastwest-postfilter() {
    channel {
        rewrite(r_set_dest_splunk_null_queue);
    };
};

application fortigate_drop_eastwest-postfilter[sc4s-postfilter] {

    filter {

        "${fields.sc4s_vendor}" == "fortinet"
        and "${fields.sc4s_product}" == "fortios"
        and "${fields.type}" == "traffic"
        and "${fields.subtype}" == "forward"
        and "${fields.action}" == "allow"

        and (
            match("^10\\.", value("fields.srcip"))
            or match("^192\\.168\\.", value("fields.srcip"))
            or match("^172\\.(1[6-9]|2[0-9]|3[0-1])\\.", value("fields.srcip"))
        )

        and (
            match("^10\\.", value("fields.dstip"))
            or match("^192\\.168\\.", value("fields.dstip"))
            or match("^172\\.(1[6-9]|2[0-9]|3[0-1])\\.", value("fields.dstip"))
        );
    };

    parser {
        fortigate_drop_eastwest-postfilter();
    };
};

 

Labels (1)
Labels
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Unlocking Unified Insights: New Gigamon Federated Search App for Splunk

In today’s data-heavy environment, organizations are caught in a data distribution dilemma. As data volumes ...

GA: New Data Management App in Splunk Platform

Streamlining Data Management: Introducing a unified experience in Splunk Managing data at scale shouldn’t feel ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...