Splunk Enterprise Security

Where should I install Fortinet Fortigate Add-On for Splunk?

bsuresh1
Path Finder

Hi All,

We are using Splunk Cloud environment with One Adhoc Search Head and one Enterprise Security Search head.

We have On-prem Deployment server, one Heavy forwarder and one syslog server (also a heavy forwarder).

Fortigate firewall logs are being sent from devices ---> syslog server (HF) ---> Splunk cloud indexers

Currently, I have set index=firewall and sourcetype=fgt for Fortigate firewall logs.

To have the Fortigate firewall logs on Enterprise Security dashboard (For example in Intrusion Center), where the add-on should be installed and what changes to be made?

Currently the add-on (1.6.0 version) is installed on ES Search Head. Should this be uninstalled from here and installed somewhere else?

0 Karma
1 Solution

bhavikbhalodia
Path Finder

Hi @bsuresh1

As per your requirement, you have to install Add-on on the Heavy Forwarder(HF). No need to uninstall Add-on from Search Head.

View solution in original post

0 Karma

jerryzhao
Contributor

keep it on search head and install it on indexers as well.
syslog->splunk indexers(add-on)->ES searchhead(add-on)
when using customized index name and sourcetypes, please refer to the documentation on how to change those in configuration for the add-on.
https://splunkbase.splunk.com/app/2846/#/details

0 Karma

bsuresh1
Path Finder

We are using Splunk Cloud. So, couldn't install on indexers. Shoudl I install it on Syslog (HF) and ES Search Head?

0 Karma

jerryzhao
Contributor

even on cloud, you can ask splunk support to install it for you, right? I have seen other customers use add-on on cloud as well.

neelamsantosh
Path Finder

As I have already placed the Fortigate AddOn on SH and u must be parsing the logs as expected.
Make sure the data models , event types and tags are in place.
Validate them first as ES mostly relies on them.

0 Karma

bhavikbhalodia
Path Finder

Hi @bsuresh1

As per your requirement, you have to install Add-on on the Heavy Forwarder(HF). No need to uninstall Add-on from Search Head.

0 Karma

bsuresh1
Path Finder

So, should I install the Add-On on Syslog server (Heavy Forwarder)? What should be the sourcetype for fortigate logs and how the props apply?

I believe based on the sourcetype, the logs get pushed to ES data model

0 Karma

bsuresh1
Path Finder

Hi All,
I have installed Add-On on heavy Forwarder (syslog server), but the sourcetype transformation is not happening. All the data is coming in as fgt_log as I defined in inputs.conf.

Am I missing something?

Work done by me:
Installed Fortigate Add-On on Heavy Forwarder
Edited inputs.conf on different app (my_syslog_inputs_app): changed sourcetype from fgt to fgt_log. Decided to keep index as "firewall"

0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

Industry Solutions for Supply Chain and OT, Amazon Use Cases, Plus More New Articles ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...