Hello, After configuring the SC4S server to use the same NTP server as the network devices, the timezone is now working correctly. Thank you for all your help. ... View more

Hi @gcusello  I see that the SplunkForwarder service is currently running under the NT SERVICE\SplunkForwarder account. Is it possible to switch this to a domain user account with the required permissions, or would I need to reinstall the Universal Forwarder using that domain account? Regards, ... View more

Hi @gcusello  Thank you for your response, My current service account for SplunkForwarder is NT Service\SplunkForwarder. I'm wondering—can I change this account directly from Log On tab, or do I need to reinstall the Universal Forwarder using a domain account that has the necessary permissions and roles? Regards, ... View more

This is an event of Fortiweb: event time of splunk 11:53:13 timestamp=1755258793 ==> 11:53:13 itime=1755234267 ==> 12:04:27 ==> This is the actual time the event occurred. ... View more

Hello, FortiWeb is configured with NTP. Regards, ... View more

Hello, Thanks for your response. I've added SC4S_DEFAULT_TIMEZONE to the env_file, but the issue still persists. I came across a related article that suggests the problem might be due to a missing NTP server configuration. I’ll try setting that up and will follow up if it resolves the issue. ... View more

Hello, Here is the raw local log of FortiAnalyzer, its timezone is also GMT+7 I checked the logs from FortiGate, which are forwarded to FortiAnalyzer and then to Splunk. When comparing these with the local logs of FortiAnalyzer, I noticed a key difference: the FortiGate logs contain timestamp, eventtime, and timezone, while the local FortiAnalyzer logs only show time. ... View more

Hello, In our environment, we have Splunk Cloud, on-premise infrastructure including SC4S, and FortiAnalyzer. All systems are set to the same GMT+7 time zone. The issue is specific to the local logs from FortiAnalyzer. We have the following add-ons installed: Fortinet FortiGate Add-on for Splunk (version 1.6.9) Fortinet FortiGate App for Splunk (version 1.6.4) The problem only affects a specific type of log from FortiAnalyzer: Logs from other FortiGates: These logs are forwarded to FortiAnalyzer and then to Splunk. They are working correctly, and the log time matches the Splunk event time. Local logs from FortiAnalyzer: This includes events like login, logout, and configuration changes on the FortiAnalyzer itself. For these logs, there is a 7-hour time difference between the log timestamp and the Splunk event time. This time discrepancy causes a significant problem. For example, if we create an alert for a configuration change on FortiAnalyzer, it will be triggered 7 hours late, making real-time monitoring impossible (As shown in this picture, using the same SPL query, searching by Splunk's event time returns results, while searching by the actual timestamp in the logs returns nothing.)   ... View more

For inputs.conf file, we've already enabled the Security log (and others). While other Security Event IDs, like those in the 472x range, are successfully searchable in Splunk, Event IDs 1104 and 1105 are conspicuously absent from search results.   ... View more