Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Splunk Connect For Syslog - Since Upgrade From 1.x to 2.29.0, why are Fortigate Events not forwarding correctly?

beano501
Explorer
‎06-01-2022 08:57 AM

I have the following line in my splunk_metadata.csv to forward forcepoint proxy logs to the index called proxy_forcepoint. This worked when running the latest 1.x release.

Post upgrade, some of the events still go into the index above (these have the sc4s_vendor_product field set to forcepoint), whereas other events are delivered to the lastchanceindex (these to not have a field sc4s_vendor_product)

Looking in app-syslog-forcepoint_webprotect.conf (from the source from 2.29 source), Forcepoint messages are recognised by "vendor=Forcepoint" (which all messages have), and if Product is "Security" (which all messages have) - then the rewrite rule should set "product("webprotect")". 

 

So I cannot see what is obviously wrong in the configuration or events, or how to investigate the events to set the line in splunk_metadata.csv  appropriately to get the routing to happen as I wish

 

All help appreciated

Labels (1)
Labels
Tags (2)
0 Karma
Reply

Random_Walk
Path Finder
‎06-02-2022 12:26 AM

I have the following line in my splunk_metadata.csv

I don't see any line there sir. 

0 Karma
Reply

beano501
Explorer
‎06-06-2022 01:08 AM

Doh 😞

 

forcepoint_webprotect,index,proxy_forcepoint

Tags (1)
0 Karma
Reply
Get Updates on the Splunk Community!

Building Reliable Asset and Identity Frameworks in Splunk ES

 Accurate asset and identity resolution is the backbone of security operations. Without it, alerts are ...

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

For Splunk Cloud customers, understanding and optimizing Splunk Virtual Compute (SVC) usage and resource ...

Automatic Discovery Part 3: Practical Use Cases

If you’ve enabled Automatic Discovery in your install of the Splunk Distribution of the OpenTelemetry ...