Splunk Cloud Platform

How to configure sending logs from Fortinet Firewall to Splunk Cloud via a heavy forwarder?

elidemberg
Loves-to-Learn

Hello, this is my first experience with Splunk Cloud and I would like to know how to configure the sending of events from my fortinet firewall to my splunk cloud using a Heavy Fowarder.

In my firewall I put the IP of my Heavy Fowarder and configured the UDP port 514 to send the events to the Heavy Fowarder.

In my heay fowarder in data inputs I configured port 514 with source fgt_log and index=Firewall.

The app Context I placed my Cloud instance.
Even running all this process I can't see the events from my firewall in the Splunk Cloud.

NOTE: The Heavy fowarder is communicating with the Cloud, I validated the communication in Deployment Instances.

Port 514 is enabled on the firewall, so I think I'm making a mistake in some configuration.

Can you help me please?

Labels (2)
0 Karma

MWA
New Member

For fortinet logs forwarding to splunk we have to mention the forwarding port as well,
To mention the port, an option is not available in GUI. We can use the following commands to add the splunk server IP with a custom forwarding port#

config log syslogd2 setting
set status enable
set server 10.10.10.10
set port 2222
end

use above example to forward traffic to port 2222
Regards,

0 Karma

richgalloway
SplunkTrust
SplunkTrust

The Best Practice for receiving syslog (port 514) events is to have the firewall send them to a dedicated syslog server (syslog-ng, rsyslog, or Splunk Connect for Syslog (SC4S) as examples) rather than to a Splunk UDP/TCP port.  A Universal (preferred) or Heavy Forward then is used to forward the events to Splunk.  (SC4S sends events directly to Splunk so no forwarder is needed with it.)

A Cloud instance cannot be an app context.

Are you seeing the HF's internal logs in your Cloud instance?  If not then that means the HF is not connected to Splunk Cloud correctly and would explain why you don't see Fortinet logs.

---
If this reply helps you, Karma would be appreciated.
0 Karma

PickleRick
SplunkTrust
SplunkTrust

rsyslog and "vanilla" syslog-ng can also be configured to send logs directly tp HEC input.

0 Karma

elidemberg
Loves-to-Learn

In answer to your question, I can see the internal logs of my HF instance in SPlunk Cloud.

I am having trouble viewing the FOrtinet logs in the cloud.

I have configured the index in both Splunk Cloud and Heavy Fowarder, but to no avail.

 

Can I send the logs from UDP port 514 directly to the Heavy fowarder and query the events in the splunk cloud?

0 Karma

richgalloway
SplunkTrust
SplunkTrust

There's no need to configure indexes on a heavy forwarder, except to satisfy some user interfaces.

Yes, you should be able to configure a UDP/514 input on a HF and see the events in Splunk Cloud.

Since you see the HF's logs in Cloud, we know the connection is working.  We also can use the logs to try to find the problem.  Try searching for metrics to see if the HF is sending any data.

index=_internal component=Metrics group=per_index_thruput series=<<index name>>

Also, check for errors reported by the HF that might reflect problems with the UDP port.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...