Hi,
The default stanza in the default/props.conf of the Fortinet Addon contains:
[source::*]
#[source::udp:514]
TRANSFORMS-force_sourcetype_fgt = force_sourcetype_fgt_traffic,force_sourcetype_fgt_utm,force_sourcetype_fgt_event
SHOULD_LINEMERGE = false
The documentation suggests to change this, which is itself correct.
**BUT** the default/props.conf stanza cannot be deactivated without modifying the **default/props.conf** which **is not upgrade resilient**, and does not corresponds to Splunk best practices.
If someone then update the application when a new version of the addon would have been released, then the default/props.conf will be overwritten and the [source::*] stanza will be activated again.
We have observed data people bad recognized (multi line events threaten as event per line) because the stanza of the addon.
We previously tried to deactivate it in a local/props.conf as following (without modifying the default/props.conf to be upgrade resilient)
[source::*]
TRANSFORMS-force_sourcetype_fgt =
**But this won't work and still other data has collision with the Fortinet addon.**
**Only modifying default/props.conf solves the issue.**
Please update the Addon configuration.
Thank you.
Guilhem
↧