We are using Splunk Cloud environment with One Adhoc Search Head and one Enterprise Security Search head.
We have On-prem Deployment server, one Heavy forwarder and one syslog server (also a heavy forwarder).
Fortigate firewall logs are being sent from devices ---> syslog server (HF) ---> Splunk cloud indexers
Currently, I have set index=firewall and sourcetype=fgt for Fortigate firewall logs.
To have the Fortigate firewall logs on Enterprise Security dashboard (For example in Intrusion Center), where the add-on should be installed and what changes to be made?
Currently the add-on (1.6.0 version) is installed on ES Search Head. Should this be uninstalled from here and installed somewhere else?
keep it on search head and install it on indexers as well.
syslog->splunk indexers(add-on)->ES searchhead(add-on)
when using customized index name and sourcetypes, please refer to the documentation on how to change those in configuration for the add-on.
As I have already placed the Fortigate AddOn on SH and u must be parsing the logs as expected.
Make sure the data models , event types and tags are in place.
Validate them first as ES mostly relies on them.
So, should I install the Add-On on Syslog server (Heavy Forwarder)? What should be the sourcetype for fortigate logs and how the props apply?
I believe based on the sourcetype, the logs get pushed to ES data model
I have installed Add-On on heavy Forwarder (syslog server), but the sourcetype transformation is not happening. All the data is coming in as fgt_log as I defined in inputs.conf.
Am I missing something?
Work done by me:
Installed Fortigate Add-On on Heavy Forwarder
Edited inputs.conf on different app (my_syslog_inputs_app): changed sourcetype from fgt to fgt_log. Decided to keep index as "firewall"