topic Getting logs to cloud in Splunk Cloud Platform

Getting logs to cloud

Pedro1x — Mon, 01 Nov 2021 06:21:46 GMT

Hi,

A new user here on Splunk.

It's been 4 hours that I am going through Splunk multiple documents and I am going in circle here. Maybe someone can point me to the right direction to get me started.

We have a new splunk cloud account, I am trying to get my cisco asa and pfsense logs to splunk cloud.

I installed on windows server splunk forwarder, But I can't figure out how to get the logs to the forwarder and then to the splunk cloud.

I specified on the ASA in the syslog server the IP of splunk forwarder but it doesn't seem like the forwarder is taking it.

PS: I already installed the spl credential on the forwarder and restarted the service. (I believe that's all that is needed for the forwarder to send data to the cloud right?)

Thank you for any help I can get.

Re: Getting logs to cloud

richgalloway — Mon, 01 Nov 2021 13:29:16 GMT

Yes, you need to install the Universal Forwarder app downloaded from your Splunk Cloud search head and restart the UF. If you see the UF's internal logs in the Cloud (index=_internal host=<<UF name>>) then it's working and any other data sent to the UF should also make its way to the cloud.

Sending syslog directly to a Splunk instance is not recommended, but should work as a trial. (The preferred way is to send syslog to a dedicated syslog server with a UF on it or use Splunk Connect for Syslog (SC4S).) The forwarder needs to have an input defined so it knows to listen on the port to which syslog data is being sent. The inputs.conf stanza will look something like this:

[tcp://:514] index = syslog sourcetype = cisco:asa