Reporting

Fortigate Firewall Syslog distinguish

AtherAD
New Member

Hi,

i am forwarding fortigate firewalls syslogs to windows universal forwarder and this data is sent to splunk single search head, but the fortigate logs are appearing by there IP, i want to distinguish them by their hostname. I have created the file inputs.conf in c:/programfiles/splunkforwarder/etc/system/local and 

i have put the following stanza into it 

[udp://514}

sourcetype=firewall_logs

connection_host= 192.168.1.*, 192.168.1.* (fortigate IP's)

host= Both fortigate hostnames in comma seperated values

but the hostname is appearing under single hostname

Labels (1)
0 Karma

PickleRick
SplunkTrust
SplunkTrust

As @gcusello already pointed out, your idea of configuring the input was wrong but let me add my three cents to this.

1) I'm not sure about fortigate logs but generally, if you have RFC-compliant syslogs TAs do extract the host entry from the event itself so the field value assigned by the input is overwritten during ingestion process

2) It's not a very good idea to read syslog events directly on a forwarder. For various reasons - performance, manageability, lack of network-level metadata. It's better to use an intermediate syslog daemon either sending to a HEC input or at least writing to files and reading those files with the forwarder. There are various options here. Most notably SC4S.

EDIT:

3) Oh, and you definitely don't want to set the sourcetype to "firewall_logs". If you're using a TA for Fortigate, use the proper sourcetype for this data as specified in the TA's docs.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @AtherAD ,

the connection_host parametes is useful to define the way to associate the host (ip or dns), youcannot use it to assign an host.

In addition, you cannot assign multiple hostnames to an input but only one at a time (eventually using host, not connection_host).

You could try to use the connection_host parameter in your input as described at https://docs.splunk.com/Documentation/Splunk/9.2.1/Admin/Inputsconf#UDP_.28User_Datagram_Protocol_ne... :

connection_host = [ip|dns|none]
* "ip" sets the host to the IP address of the system sending the data.
* "dns" sets the host to the reverse DNS entry for IP address of the system
  that sends the data. For this to work correctly, set the forward DNS lookup
  to match the reverse DNS lookup in your DNS configuration.
* "none" leaves the host as specified in inputs.conf, typically the Splunk
  system hostname.
* If the input is configured with a 'sourcetype' that has a transform that
  overrides the 'host' field e.g. 'sourcetype=syslog', that takes
  precedence over the host specified here.
* Default: ip

 in your case:

[udp://514}
sourcetype = firewall_logs
connection_host = dns
disabled = 0
acceptFrom = 192.168.1.*, 192.168.1.*

Ciao.

Giuseppe

 

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...