Splunk Enterprise Security

Where should I install Fortinet Fortigate Add-On for Splunk?

bsuresh1
Path Finder

Hi All,

We are using Splunk Cloud environment with One Adhoc Search Head and one Enterprise Security Search head.

We have On-prem Deployment server, one Heavy forwarder and one syslog server (also a heavy forwarder).

Fortigate firewall logs are being sent from devices ---> syslog server (HF) ---> Splunk cloud indexers

Currently, I have set index=firewall and sourcetype=fgt for Fortigate firewall logs.

To have the Fortigate firewall logs on Enterprise Security dashboard (For example in Intrusion Center), where the add-on should be installed and what changes to be made?

Currently the add-on (1.6.0 version) is installed on ES Search Head. Should this be uninstalled from here and installed somewhere else?

0 Karma
1 Solution

bhavikbhalodia
Path Finder

Hi @bsuresh1

As per your requirement, you have to install Add-on on the Heavy Forwarder(HF). No need to uninstall Add-on from Search Head.

View solution in original post

0 Karma

jerryzhao
Contributor

keep it on search head and install it on indexers as well.
syslog->splunk indexers(add-on)->ES searchhead(add-on)
when using customized index name and sourcetypes, please refer to the documentation on how to change those in configuration for the add-on.
https://splunkbase.splunk.com/app/2846/#/details

0 Karma

bsuresh1
Path Finder

We are using Splunk Cloud. So, couldn't install on indexers. Shoudl I install it on Syslog (HF) and ES Search Head?

0 Karma

jerryzhao
Contributor

even on cloud, you can ask splunk support to install it for you, right? I have seen other customers use add-on on cloud as well.

0 Karma

neelamsantosh
Path Finder

As I have already placed the Fortigate AddOn on SH and u must be parsing the logs as expected.
Make sure the data models , event types and tags are in place.
Validate them first as ES mostly relies on them.

0 Karma

bhavikbhalodia
Path Finder

Hi @bsuresh1

As per your requirement, you have to install Add-on on the Heavy Forwarder(HF). No need to uninstall Add-on from Search Head.

0 Karma

bsuresh1
Path Finder

So, should I install the Add-On on Syslog server (Heavy Forwarder)? What should be the sourcetype for fortigate logs and how the props apply?

I believe based on the sourcetype, the logs get pushed to ES data model

0 Karma

bsuresh1
Path Finder

Hi All,
I have installed Add-On on heavy Forwarder (syslog server), but the sourcetype transformation is not happening. All the data is coming in as fgt_log as I defined in inputs.conf.

Am I missing something?

Work done by me:
Installed Fortigate Add-On on Heavy Forwarder
Edited inputs.conf on different app (my_syslog_inputs_app): changed sourcetype from fgt to fgt_log. Decided to keep index as "firewall"

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...