Hello Everyone
I am trying to program an application for Splunk and I have a little problem. the problem is that I can not retrieve the logs sent by the firewall because I do not know which file they are.
thank you.
The logs are saved in Splunk's index, or "database" if you will. File system-wise, an index is distributed across a number of files, by default in $SPLUNK_HOME/var/lib
. These files are in a proprietary format that cannot (easily) be used for reading directly.
More information on Splunk indexes: http://docs.splunk.com/Documentation/Splunk/latest/admin/WhatsaSplunkindex
If you already set up so that Splunk is getting the logs from the Fortigate firewall, you likely should know either source, sourcetype or host. If not, that's the place to start. Give us more details about that part of the Splunk setup, and we'll see if we can help you.
the logs are already sent (FortiGate work completed). I want to know is:
which is what the splunk server stores the logs it recovers
Not forgetting its also a question for whoever configured it to log in the first place (assuming it is..)
I would say that's a Fortigate question rather than a Splunk question.
Hello, i want to retrieve the logs from a Fortigate firewall, and after i will write an application for splunk to manage this logs. An application like "Splunk App for Windows"
but the problem is that i don't know where the logs are returned (in which file).thank you for your help.
You need to provide much much more details. For starters, you haven't entered a question. Also, what firewall? What is the application you're writing supposed to do? What is the problem you need help with?