Splunk Cloud Platform
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to configure sending logs from Fortinet Firewall to Splunk Cloud via a heavy forwarder?

elidemberg
Loves-to-Learn
‎12-06-2022 07:30 AM

Hello, this is my first experience with Splunk Cloud and I would like to know how to configure the sending of events from my fortinet firewall to my splunk cloud using a Heavy Fowarder.

In my firewall I put the IP of my Heavy Fowarder and configured the UDP port 514 to send the events to the Heavy Fowarder.

In my heay fowarder in data inputs I configured port 514 with source fgt_log and index=Firewall.

The app Context I placed my Cloud instance.
Even running all this process I can't see the events from my firewall in the Splunk Cloud.

NOTE: The Heavy fowarder is communicating with the Cloud, I validated the communication in Deployment Instances.

Port 514 is enabled on the firewall, so I think I'm making a mistake in some configuration.

Can you help me please?

Labels (2)
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎12-06-2022 10:39 AM

The Best Practice for receiving syslog (port 514) events is to have the firewall send them to a dedicated syslog server (syslog-ng, rsyslog, or Splunk Connect for Syslog (SC4S) as examples) rather than to a Splunk UDP/TCP port.  A Universal (preferred) or Heavy Forward then is used to forward the events to Splunk.  (SC4S sends events directly to Splunk so no forwarder is needed with it.)

A Cloud instance cannot be an app context.

Are you seeing the HF's internal logs in your Cloud instance?  If not then that means the HF is not connected to Splunk Cloud correctly and would explain why you don't see Fortinet logs.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎12-06-2022 12:26 PM

rsyslog and "vanilla" syslog-ng can also be configured to send logs directly tp HEC input.

0 Karma
Reply

elidemberg
Loves-to-Learn
‎12-06-2022 10:50 AM

In answer to your question, I can see the internal logs of my HF instance in SPlunk Cloud.

I am having trouble viewing the FOrtinet logs in the cloud.

I have configured the index in both Splunk Cloud and Heavy Fowarder, but to no avail.

 

Can I send the logs from UDP port 514 directly to the Heavy fowarder and query the events in the splunk cloud?

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎12-06-2022 01:23 PM

There's no need to configure indexes on a heavy forwarder, except to satisfy some user interfaces.

Yes, you should be able to configure a UDP/514 input on a HF and see the events in Splunk Cloud.

Since you see the HF's logs in Cloud, we know the connection is working.  We also can use the logs to try to find the problem.  Try searching for metrics to see if the HF is sending any data.

index=_internal component=Metrics group=per_index_thruput series=<<index name>>

Also, check for errors reported by the HF that might reflect problems with the UDP port.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...