Skip to content

Fortios

Key facts

  • MSG Format based filter
  • Legacy BSD Format default port 514
Ref Link
Splunk Add-on https://splunkbase.splunk.com/app/2846/
Product Manual https://docs.fortinet.com/product/fortigate/6.2

Sourcetypes

sourcetype notes
fgt_log Catch-all sourcetype; not used by the TA
fgt_traffic None
fgt_utm None
fgt_event None

Sourcetype and Index Configuration

key sourcetype index notes
fortinet_fortios_traffic fgt_traffic netfw none
fortinet_fortios_utm fgt_utm netfw none
fortinet_fortios_event fgt_event netops none
fortinet_fortios_log fgt_log netops none

Source Setup and Configuration

  • Refer to the admin manual for specific details of configuration to send Reliable syslog using RFC 3195 format, a typical logging configuration will include the following features.
config log memory filter

set forward-traffic enable

set local-traffic enable

set sniffer-traffic disable

set anomaly enable

set voip disable

set multicast-traffic enable

set dns enable

end

config system global

set cli-audit-log enable

end

config log setting

set neighbor-event enable

end

Options

Variable default description
SC4S_OPTION_FORTINET_SOURCETYPE_PREFIX fgt Notice starting with version 1.6 of the fortinet add-on and app the sourcetype required changes from fgt_* to fortinet_* this is a breaking change to use the new sourcetype set this variable to fortigate in the env_file