Guidelines and Limitations for Splunk Integration

When you enable Splunk integration, your existing syslog server configuration is not migrated.

When migrating to Cloud-Delivered Firewall Management Center, you must repeat the Splunk integration procedure because the Splunk configuration from the On-Premises Management Center does not get migrated.

You cannot configure a Splunk profile to send events from both Firewall Management Center and Firewall Threat Defense device for the same event type.

If you set up domains in Firewall Management Center, you can configure Splunk only from leaf domains.

You can create a maximum of 15 Splunk profiles per domain. However, multiple domains can be configured to send syslog messages to the same or different servers.

Do not create duplicate profiles for the same devices because it results in devices sending duplicated events to the Splunk server.

Only basic TLS encryption is supported over data interfaces from devices; client and server authentication are not supported.

The syslog payload is sent to the Splunk server in JSON format.

In a high availability set up, Splunk configuration is synchronized between the Firewall Management Center HA pair. Only active unit sends the events. In the case of a failover, the new active unit will start sending the events.​

The message header of syslog events sent through data interfaces contains only the syslog tag and not the device IP address.

Splunk integration does not support analytics devices managed by another Firewall Management Center, for example, cdFMC.

cdFMC does not support sending events from a Firewall Management Center source. Hence, cdFMC cannot have events that support only Firewall Management Center source.