Reporting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Fortigate Firewall Syslog distinguish

AtherAD
Engager
‎05-24-2024 08:54 AM

Hi,

i am forwarding fortigate firewalls syslogs to windows universal forwarder and this data is sent to splunk single search head, but the fortigate logs are appearing by there IP, i want to distinguish them by their hostname. I have created the file inputs.conf in c:/programfiles/splunkforwarder/etc/system/local and 

i have put the following stanza into it 

[udp://514}

sourcetype=firewall_logs

connection_host= 192.168.1.*, 192.168.1.* (fortigate IP's)

host= Both fortigate hostnames in comma seperated values

but the hostname is appearing under single hostname

Labels (1)
Labels
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎05-25-2024 08:20 AM

As @gcusello already pointed out, your idea of configuring the input was wrong but let me add my three cents to this.

1) I'm not sure about fortigate logs but generally, if you have RFC-compliant syslogs TAs do extract the host entry from the event itself so the field value assigned by the input is overwritten during ingestion process

2) It's not a very good idea to read syslog events directly on a forwarder. For various reasons - performance, manageability, lack of network-level metadata. It's better to use an intermediate syslog daemon either sending to a HEC input or at least writing to files and reading those files with the forwarder. There are various options here. Most notably SC4S.

EDIT:

3) Oh, and you definitely don't want to set the sourcetype to "firewall_logs". If you're using a TA for Fortigate, use the proper sourcetype for this data as specified in the TA's docs.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎05-24-2024 09:33 PM

Hi @AtherAD ,

the connection_host parametes is useful to define the way to associate the host (ip or dns), youcannot use it to assign an host.

In addition, you cannot assign multiple hostnames to an input but only one at a time (eventually using host, not connection_host).

You could try to use the connection_host parameter in your input as described at https://docs.splunk.com/Documentation/Splunk/9.2.1/Admin/Inputsconf#UDP_.28User_Datagram_Protocol_ne... :

connection_host = [ip|dns|none]
* "ip" sets the host to the IP address of the system sending the data.
* "dns" sets the host to the reverse DNS entry for IP address of the system
  that sends the data. For this to work correctly, set the forward DNS lookup
  to match the reverse DNS lookup in your DNS configuration.
* "none" leaves the host as specified in inputs.conf, typically the Splunk
  system hostname.
* If the input is configured with a 'sourcetype' that has a transform that
  overrides the 'host' field e.g. 'sourcetype=syslog', that takes
  precedence over the host specified here.
* Default: ip

 in your case:

[udp://514}
sourcetype = firewall_logs
connection_host = dns
disabled = 0
acceptFrom = 192.168.1.*, 192.168.1.*

Ciao.

Giuseppe

 

0 Karma
Reply
Get Updates on the Splunk Community!

Infographic provides the TL;DR for the 2024 Splunk Career Impact Report

We’ve been buzzing with excitement about the recent validation of Splunk Education! The 2024 Splunk Career ...

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...