Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

SC4S postfilter not dropping Fortigate east-west traffic (syslog-ng rewrite/appmodel errors)

loganallen
Loves-to-Learn
4 weeks ago

I am trying to implement a postfilter in Splunk Connect for Syslog to drop east-west (internal-to-internal) Fortigate traffic before it reaches Splunk, specifically Fortinet FortiOS traffic logs where both srcip and dstip fall within ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16).

 

My current configuration uses a sc4s-postfilter application with a filter matching on sc4s_vendor=fortinet, sc4s_product=fortios, and the traffic fields, and then attempts to drop events using rewrite(r_set_dest_splunk_null_queue) inside a block parser that is invoked by the application.

However, I am running into two problems: when using the rewrite inside a block parser I get syslog-ng appmodel parsing errors such as “unexpected KW_REWRITE”, causing the container to crash or restart, and when I adjust the syntax so that SC4S starts cleanly, the filter appears to run but no events are actually dropped and the Fortigate traffic still shows up in Splunk unchanged.

I have confirmed that SC4S is running in Docker, syslog-ng configuration passes validation, Fortigate logs are being parsed correctly with srcip/dstip present, and ingestion into Splunk via HEC is working normally, so the issue appears to be specifically with how the postfilter is structured or executed.

I am unsure whether r_set_dest_splunk_null_queue is still the correct method for dropping events, whether block parser + channel is still valid in modern SC4S versions, or how to properly verify that a postfilter is actually being executed, so I am looking for guidance or a working example of how to correctly implement east-west traffic suppression in SC4S.

block parser fortigate_drop_eastwest-postfilter() {
    channel {
        rewrite(r_set_dest_splunk_null_queue);
    };
};

application fortigate_drop_eastwest-postfilter[sc4s-postfilter] {

    filter {

        "${fields.sc4s_vendor}" == "fortinet"
        and "${fields.sc4s_product}" == "fortios"
        and "${fields.type}" == "traffic"
        and "${fields.subtype}" == "forward"
        and "${fields.action}" == "allow"

        and (
            match("^10\\.", value("fields.srcip"))
            or match("^192\\.168\\.", value("fields.srcip"))
            or match("^172\\.(1[6-9]|2[0-9]|3[0-1])\\.", value("fields.srcip"))
        )

        and (
            match("^10\\.", value("fields.dstip"))
            or match("^192\\.168\\.", value("fields.dstip"))
            or match("^172\\.(1[6-9]|2[0-9]|3[0-1])\\.", value("fields.dstip"))
        );
    };

    parser {
        fortigate_drop_eastwest-postfilter();
    };
};

 

Labels (1)
Labels
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Event Series: Splunk Observability Metrics Cost Optimization

Balancing Scale and Spend: Gaining Control Over High-Volume Metrics in Splunk Observability Cloud As ...

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Evaluating an enterprise observability platform usually goes like this: fill out a form, get a free trial with ...

Deep insights, no barriers: Splunk Observability Cloud Free Edition

As software delivery cycles continue to accelerate, observability shouldn’t be a luxury — it should be a ...