Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
tio3udes
New Contributor III

FAZ to Splunk

Hello community!

 

So, I have a situation where theres a discrepancy between the volume of logs ingested by FAZ and the license consumption on Splunk. FAZ forwards logs to the Splunk and there's a difference of about 30Gb/day more when we check the Splunk side.

 

Some dets:

 

Traffic is being forwarded at udp 514

An Fortinet addon is being used for integration between the two solutions.

 

Have anyone seen this before or have any idea of what it could be?

I appreciate any information.

 

 

 

 

 

#FortiAnalyzer #FAZ #Splunk #SIEM

ti03udes
ti03udes
3 REPLIES 3
AEK
Honored Contributor

Hello

Since udp is connectionless, can it be caused by lost packets?

AEK
AEK
tio3udes
New Contributor III

Don't think so because the higher value is at the receiving end.

ti03udes
ti03udes
IvoryKoelpin

Thanks for the info.

Labels
Top Kudoed Authors