×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Numb78
Explorer
Member since: ‎05-28-2024
‎05-21-2025
Community Statistics
Posts 3
Solutions 0
Karma Given 0
Karma Received 2
Member Since ‎05-28-2024
View All

Re: Fortinet logs collected through syslog TCP wit...

by in Getting Data In
‎05-12-2025 06:32 AM
‎05-12-2025 06:32 AM
Hi livehybrid,   thanks for your answer.  I finally find the solution to this, and it was easier than ever. There's a note on SC4S guide saying that "When configuring a fortigate fortios device for TCP syslog, port 601 or an RFC6587 custom port must be used. UDP syslog should use the default port of 514." I read this, tried this on a first stage, but as it does now seemed to work, basically because I was using some test events sent via netcat without specifying any newline character. I have tried it again simply adding a "\r\n" at the end of the event blob and setting this environment variable on SC4S env file: SC4S_LISTEN_RFC6587_PORT=601 It works perfectly now, also tried in production environment with live events. Regards ... View more

Fortinet logs collected through syslog TCP with SC...

by in Getting Data In
‎05-07-2025 05:24 AM
‎05-07-2025 05:24 AM
Hi all, I'm struggling with an issue related to collecting Fortinet Fortios events through SC4S. If I use UDP protocol I have no issues, but when changing the collecting protocol to TCP the events are not interpreted correctly, because the line breaking does not work anymore, and basically I receive a buffer of merged events breaked only by the _raw size limit. My config is the following: Fortinet FW --> (Syslog TCP) --> SC4S --> HEC on Indexer (Splunk Cloud) --> Search Head (Splunk Cloud) If I receive the same events directly with a Splunk instance where the "Fortinet FortiGate Add-On for Splunk" the configuration correctly breaks the events. Here is the additional configuration needed. [source::tcp:1514] SHOULD_LINEMERGE = false LINE_BREAKER = (\d{2,3}\s+<\d{2,3}>) TIME_PREFIX = eventtime= TIME_FORMAT = %s%9N If I try to apply this configuration on the Splunk Cloud SH it does not work. I believe that SC4S or the indexer is not permitting to perform this line breaking configuration on the SH, so I'm unable to make it work. Maybe it's possible to apply some adjustement on SC4S, if anyone already solves this. Regards ... View more
Labels

Re: splunk-winevtlog.exe keeps crashing on Windows...

by in Splunk Enterprise
‎02-25-2025 12:56 AM
2 Karma
‎02-25-2025 12:56 AM
2 Karma
Hi all, just to notify you that this issue has been deeply troubleshooted with customer support and finally the fix should be included in the future release of Splunk 9.4.2.   Regards ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎05-21-2025 03:21 AM
Karma from
View All