topic Linux Netfilter(iptables) technology add-on: How to collect logs from iptables? in All Apps and Add-ons

Linux Netfilter(iptables) technology add-on: How to collect logs from iptables?

test_qweqwe — Mon, 12 Feb 2018 15:33:33 GMT

Hi
Can you help me with some questions?

If I understand, this add-on parsing iptables logs, but first I need to change config of ipatables to log in to separate file?
There is no any inputs.conf or something like it. I don't know how to use this add-on even with documentation.

Re: Linux Netfilter(iptables) technology add-on: How to collect logs from iptables?

FrankVl — Mon, 12 Feb 2018 15:56:36 GMT

Assuming you're running splunk(forwarder) on the same box as where you want to capture the iptables logs, you'll need to:

Enable and configure logging in iptables (refer to iptables docs / online guides etc. for details; first hit on google: https://www.thegeekstuff.com/2012/08/iptables-log-packets/?utm_source=feedburner)
Configure the system's syslog daemon to write the iptables log to a suitable file (or at least confirm where it writes by default)
Configure splunk with a file monitor input to read the respective file. I understand from the TA doc you can use the syslog sourcetype, which will be transformed to linux:netfilter by the TA.

Re: Linux Netfilter(iptables) technology add-on: How to collect logs from iptables?

doksu — Wed, 14 Feb 2018 02:24:38 GMT

You could split the netfilter (iptables) events into their own file then in the inputs.conf monitor stanza for that file specify the sourcetype of linux:netfilter, but I designed the app so that doing so is not necessary. If you simply ingest the netfilter events mixed with other syslogged events (e.g. /var/log/messages) and that file is ingested with sourcetype "syslog", then the app will automatically change the sourcetype of just the netfilter events to linux:netfilter.