Getting Data In

Splunk HF Stops Receiving Fortigate WAF Logs via Syslog Intermittently

refahiati
Explorer

Hello everyone,

I'm currently collecting logs from a Fortigate WAF using Syslog, but I've encountered an issue where, after running smoothly for a while, the Splunk Heavy Forwarder (HF) suddenly stops receiving and forwarding the logs. The only way to resolve this is by restarting the HF, after which everything works fine again, but the problem eventually recurs.

Could anyone advise on:

  • Possible causes for this intermittent log collection issue
  • Any specific configurations to keep the Syslog input stable
  • Troubleshooting steps or recommended best practices to prevent having to restart the HF frequently
  • Any insights or similar experiences would be much appreciated!

Thank you!

Labels (1)
0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

Industry Solutions for Supply Chain and OT, Amazon Use Cases, Plus More New Articles ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...