×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Numb78
Explorer
Member since: ‎05-28-2024
Monday
Community Statistics
Posts 3
Solutions 0
Karma Given 0
Karma Received 2
Member Since ‎05-28-2024
View All

Re: Fortinet logs collected through syslog TCP wit...

by in Getting Data In
Monday
Monday
Hi livehybrid,   thanks for your answer.  I finally find the solution to this, and it was easier than ever. There's a note on SC4S guide saying that "When configuring a fortigate fortios device for TCP syslog, port 601 or an RFC6587 custom port must be used. UDP syslog should use the default port of 514." I read this, tried this on a first stage, but as it does now seemed to work, basically because I was using some test events sent via netcat without specifying any newline character. I have tried it again simply adding a "\r\n" at the end of the event blob and setting this environment variable on SC4S env file: SC4S_LISTEN_RFC6587_PORT=601 It works perfectly now, also tried in production environment with live events. Regards ... View more

Fortinet logs collected through syslog TCP with SC...

by in Getting Data In
a week ago
a week ago
Hi all, I'm struggling with an issue related to collecting Fortinet Fortios events through SC4S. If I use UDP protocol I have no issues, but when changing the collecting protocol to TCP the events are not interpreted correctly, because the line breaking does not work anymore, and basically I receive a buffer of merged events breaked only by the _raw size limit. My config is the following: Fortinet FW --> (Syslog TCP) --> SC4S --> HEC on Indexer (Splunk Cloud) --> Search Head (Splunk Cloud) If I receive the same events directly with a Splunk instance where the "Fortinet FortiGate Add-On for Splunk" the configuration correctly breaks the events. Here is the additional configuration needed. [source::tcp:1514] SHOULD_LINEMERGE = false LINE_BREAKER = (\d{2,3}\s+<\d{2,3}>) TIME_PREFIX = eventtime= TIME_FORMAT = %s%9N If I try to apply this configuration on the Splunk Cloud SH it does not work. I believe that SC4S or the indexer is not permitting to perform this line breaking configuration on the SH, so I'm unable to make it work. Maybe it's possible to apply some adjustement on SC4S, if anyone already solves this. Regards ... View more
Labels

Re: splunk-winevtlog.exe keeps crashing on Windows...

by in Splunk Enterprise
‎02-25-2025 12:56 AM
2 Karma
‎02-25-2025 12:56 AM
2 Karma
Hi all, just to notify you that this issue has been deeply troubleshooted with customer support and finally the fix should be included in the future release of Splunk 9.4.2.   Regards ... View more
Contact Me
Online Status
Offline
Date Last Visited
Monday
Karma from
View All