Getting Data In

Splunk Connect For Syslog - Since Upgrade From 1.x to 2.29.0, why are Fortigate Events not forwarding correctly?

beano501
Engager

I have the following line in my splunk_metadata.csv to forward forcepoint proxy logs to the index called proxy_forcepoint. This worked when running the latest 1.x release.

Post upgrade, some of the events still go into the index above (these have the sc4s_vendor_product field set to forcepoint), whereas other events are delivered to the lastchanceindex (these to not have a field sc4s_vendor_product)

Looking in app-syslog-forcepoint_webprotect.conf (from the source from 2.29 source), Forcepoint messages are recognised by "vendor=Forcepoint" (which all messages have), and if Product is "Security" (which all messages have) - then the rewrite rule should set "product("webprotect")". 

 

So I cannot see what is obviously wrong in the configuration or events, or how to investigate the events to set the line in splunk_metadata.csv  appropriately to get the routing to happen as I wish

 

All help appreciated

Labels (1)
Tags (2)
0 Karma

Random_Walk
Path Finder

I have the following line in my splunk_metadata.csv

I don't see any line there sir. 

0 Karma

beano501
Engager

Doh 😞

 

forcepoint_webprotect,index,proxy_forcepoint

Tags (1)
0 Karma
Get Updates on the Splunk Community!

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Deprecation of Splunk Observability Kubernetes “Classic Navigator” UI starting ...

Access to Splunk Observability Kubernetes “Classic Navigator” UI will no longer be available starting January ...