mstopa-splunk
commented
4 months ago @PricklyPotato thank you, I'm taking care of it
Closed PricklyPotato closed 4 months ago
mstopa-splunk
commented
4 months ago @PricklyPotato thank you, I'm taking care of it
mstopa-splunk
commented
4 months ago This documentation part needs to be reviewed more carefully. I cannot reproduce the case when it works with the key fortinet_fortimail. Can you please send a sample or two that work for you?
PricklyPotato
commented
4 months ago of course tell me what you need for testing, do you want me to send you some PCAPs, I'll record some logs in the Archive and I'll send them to you.
mstopa-splunk
commented
4 months ago @PricklyPotato thanks, much appreciated I reproduced it on my end and the PR is awaiting review now: https://github.com/splunk/splunk-connect-for-syslog/pull/2354/files
mstopa-splunk
commented
4 months ago PricklyPotato
commented
4 months ago @mstopa-splunk that sounds great !!!
For my part I solved it that way, by removing the (_) sign.
If you didn't remove the (_), what SC4S did to you, is that it sent you all the events from both fortigate and fortimail as if they were from fortigate and mixed them up.
There was no difference between the osurcetype fgt and fml.
If you need some kind of fortigate logs, I can send them to you if you want to reproduce the problem, just send me an email and I will send them to you.
Best regards.
mstopa-splunk
commented
4 months ago @PricklyPotato good catch, we had an md formatting bug there . Together with another one in the configuration.
I tested it with fortinet_fortimail_spam and fortinet_fortimail, and it will work now. Feel free to take a look at the PR's diff in case I missed something, but it should be ok
PricklyPotato
commented
4 months ago Hello,
I'm glad to be able to help improve SC4S. Please let me know how we will proceed or if you need any more help from me.
mstopa-splunk
commented
4 months ago Awesome, thank you! We're clear here, fixes will be merged soon. We will be grateful for similar issues in the future if you find anything more
PricklyPotato
commented
4 months ago Perfect, so I close the clase.
Hello,
I've identified a small discrepancy in the SC4S documentation regarding the configuration for FortiMail event data. In the current SC4S documentation (available at https://splunk.github.io/splunk-connect-for-syslog/3.21.0/sources/vendor/Fortinet/fortimail/), it instructs users to add an underscore (_) at the end of the sourcetype for FortiMail.
However, I found that the correct sourcetype configuration to properly send FortiMail event data does not include the underscore. The accurate sourcetype should be as follows:
fortinet_fortimailThe presence of the underscore seems to be a typographical error. I am attaching an image from the manual for reference. This correction could potentially help others who are attempting to set up FortiMail with SC4S.
Could the documentation be updated to reflect this correct sourcetype configuration?
Thank you for looking into this matter.
Best regards,