File collection method to be used instead of Syslog collection method
Task to accomplish: - Fortinet logs to be sent to log collector through file collection method (currently supported method is syslog). Require it to get parsed properly with file collection method like it is parsing through syslog collection method.
Need to work on:
To create new object under Logcollector->Config Tab-> Event Source->File-> xxx directory. Then new file need to be created under /etc/netwitness/ng/logcollection/content/collection/file/.
We have created File collection name with “Test Access”, under Logcollector->Config Tab-> Event Source -> Squid Directory.
We have also modified file /etc/netwitness/ng/logcollection/content/collection/file/squid.xml.
Attaching original file and modified files for the reference. [We are modifying the squid.xml file just for testing purpose, and we are sure we are not going to use in production environment].
We have not send any logs to log collector yet but (1) want to double check whether it will be fine for decoder to handle different collection method. (2) In which format we need to send logs from Fortinet to log collector [compressed or uncompressed]. (3) How big file can log collector/decoder can handle when sent by sasftp agent.
We have managed to send test logs to decoder with same xml file shared in earlier post. As we have asked our queries in earlier post, i) & (ii) we have managed to address. But for third question, we are not sure .Let me be very specific: Currently each files in Fortinet is at least 150 MB to 1GB. Can decoder handle such a big file without any issue or abnormal behaviour?