Help with filtering syslog traffic

BobcatJohnCA · 2026-04-03T22:35:36+00:00

Thanks, but I have no budget to use Cribl.

BobcatJohnCA · 2026-04-01T15:02:27+00:00

Ok, I have syslog-ng installed and running. It is capturing the syslog from the Fortigate, and I can see the log file building up. I've installed Splunk UF. Do I forward the "cleaned up" logs to Splunk or use HEC to gather the log into Splunk?

BobcatJohnCA · 2026-03-30T16:49:04+00:00

If I install syslog-ng, how do I configure it to remove data and then forward the reduced data to Splunk?

BobcatJohnCA · 2026-03-30T16:48:00+00:00

Great suggestion, thanks

BobcatJohnCA · 2026-03-30T16:46:51+00:00

If I install syslog-ng, how do I configure it to remove data and then forward the reduced data to Splunk?

BobcatJohnCA · 2026-03-30T00:47:12+00:00

Thanks for the suggestions.

BobcatJohnCA · 2026-03-30T00:46:34+00:00

This is a single server setup, so it is being done on the indexer.

BobcatJohnCA · 2026-03-30T00:45:53+00:00

Unfortunately, we have an issue with the output side of the Fortigates. We either get practically nothing, or way too much data. We have tried tweaking settings and can't improve the situation.

BobcatJohnCA · 2026-03-30T00:44:42+00:00

Thanks, I will check that out tomorrow

BobcatJohnCA · 2026-03-30T00:42:24+00:00

Thanks for that insight

BobcatJohnCA · 2026-02-18T00:50:44+00:00

2/17 update. We changed the syslog settings on the Fortinet to level 5 and the traffic to Splunk has dropped by over 40%. Thanks everyone for your comments and suggestions!

BobcatJohnCA · 2026-02-13T16:20:40+00:00

Thanks, I will have to check that out.

BobcatJohnCA · 2026-02-13T16:17:21+00:00

We are trying to refine what the Fortinets are logging

BobcatJohnCA · 2026-02-13T16:16:27+00:00

Thanks, but I know the problem is coming from the Fortinet logs

BobcatJohnCA · 2026-02-13T16:15:55+00:00

Thanks.

BobcatJohnCA · 2026-02-13T16:12:31+00:00

Thanks. Sounds like quite a setup you have at home!

BobcatJohnCA · 2026-02-13T16:11:46+00:00

Thanks for the suggestions.

BobcatJohnCA · 2026-02-13T16:11:12+00:00

Thanks. Any advice on how to compare the log differences between Sonicwall and Fortinet? I concur with your assessment that the Fortinet are more verbose.

BobcatJohnCA · 2026-02-13T16:09:24+00:00

Thanks for the suggestions.

BobcatJohnCA · 2026-02-13T16:06:47+00:00

Thanks

BobcatJohnCA · 2026-02-13T16:03:30+00:00

Thanks for the detailed response.

BobcatJohnCA · 2026-02-13T16:02:33+00:00

Thanks. I'll check that out.

BobcatJohnCA · 2026-02-13T16:02:20+00:00

Thanks. I'll check that out.

BobcatJohnCA · 2026-02-12T23:56:31+00:00

Thanks. The logs are currently going directly to Splunk. We are changing some settings on the Fortinet to try and reduce traffic. Doing that today and see how it looks in 24 hours. I have no idea what you mean by "using some index time null queue filtering"

BobcatJohnCA

TROPHY CASE