Reporting
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Fortigate Firewall Syslog distinguish

AtherAD
Engager
‎05-24-2024 08:54 AM

Hi,

i am forwarding fortigate firewalls syslogs to windows universal forwarder and this data is sent to splunk single search head, but the fortigate logs are appearing by there IP, i want to distinguish them by their hostname. I have created the file inputs.conf in c:/programfiles/splunkforwarder/etc/system/local and 

i have put the following stanza into it 

[udp://514}

sourcetype=firewall_logs

connection_host= 192.168.1.*, 192.168.1.* (fortigate IP's)

host= Both fortigate hostnames in comma seperated values

but the hostname is appearing under single hostname

Labels (1)
Labels
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎05-25-2024 08:20 AM

As @gcusello already pointed out, your idea of configuring the input was wrong but let me add my three cents to this.

1) I'm not sure about fortigate logs but generally, if you have RFC-compliant syslogs TAs do extract the host entry from the event itself so the field value assigned by the input is overwritten during ingestion process

2) It's not a very good idea to read syslog events directly on a forwarder. For various reasons - performance, manageability, lack of network-level metadata. It's better to use an intermediate syslog daemon either sending to a HEC input or at least writing to files and reading those files with the forwarder. There are various options here. Most notably SC4S.

EDIT:

3) Oh, and you definitely don't want to set the sourcetype to "firewall_logs". If you're using a TA for Fortigate, use the proper sourcetype for this data as specified in the TA's docs.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎05-24-2024 09:33 PM

Hi @AtherAD ,

the connection_host parametes is useful to define the way to associate the host (ip or dns), youcannot use it to assign an host.

In addition, you cannot assign multiple hostnames to an input but only one at a time (eventually using host, not connection_host).

You could try to use the connection_host parameter in your input as described at https://docs.splunk.com/Documentation/Splunk/9.2.1/Admin/Inputsconf#UDP_.28User_Datagram_Protocol_ne... :

connection_host = [ip|dns|none]
* "ip" sets the host to the IP address of the system sending the data.
* "dns" sets the host to the reverse DNS entry for IP address of the system
  that sends the data. For this to work correctly, set the forward DNS lookup
  to match the reverse DNS lookup in your DNS configuration.
* "none" leaves the host as specified in inputs.conf, typically the Splunk
  system hostname.
* If the input is configured with a 'sourcetype' that has a transform that
  overrides the 'host' field e.g. 'sourcetype=syslog', that takes
  precedence over the host specified here.
* Default: ip

 in your case:

[udp://514}
sourcetype = firewall_logs
connection_host = dns
disabled = 0
acceptFrom = 192.168.1.*, 192.168.1.*

Ciao.

Giuseppe

 

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...