topic Re: No data can be seen from Forcepoint Firewall in Splunk Enterprise in Getting Data In

No data can be seen from Forcepoint Firewall in Splunk Enterprise

lzahariev — Mon, 25 Oct 2021 07:54:30 GMT

Hi all,

We've configured a Forcepoint Next Generation Firewall (NGFW) to send data through it's Security Management Center (SMC) after following this article: https://forcepoint.github.io/docs/ngfw_and_splunk/, however no data is displayed in the Splunk Enterprise (Standalone) Web UI > Apps > Forcepoint. From a 'tcpdump' on the Splunk Ent. device (hosted on Linux CentOS 7), we can see incoming traffic on configured incoming TCP-19997 port.

Could anyone advise please?

Kind regards,
Lubo

Re: No data can be seen from Forcepoint Firewall in Splunk Enterprise

PickleRick — Mon, 25 Oct 2021 09:17:06 GMT

By "incoming traffic" you mean just SYN packets or full bidirectional flow? Do you see data within this stream? If so, then splunk is receiving the events, you just have to find them.

Are they written to the proper index?

Does this app require any additional configuration to find the events? (might need some macro update or something like that).

Re: No data can be seen from Forcepoint Firewall in Splunk Enterprise

lzahariev — Mon, 25 Oct 2021 13:50:38 GMT

Hi, thanks for your reply!

We've had successful three way TCP handshakes between our Forcepoint SMC and Splunk Enterprise (standalone) deployment, however no data that could be seen, as per this screenshot from the deployment guide: https://forcepoint.github.io/docs/ngfw_and_splunk/media/image9.png

I'm not sure what you meant by "written to the proper index", I'm new to Splunk, however my guess would be that - yes, there is data written to the correct Index, as seen from the Splunk web UI > Settings > Data > Indexes > (name) forcepoint, (app) forcepoint-solutions, (event count) 41.9M, (home path) $SPLUNK_DB/forcepoint/db. We've also created a custom sourcetype - key-value pairs, as per the deployment guide do, mentioned above.

"Does this app require any additional configuration to find the events?"
- Not sure, that's why I was hoping if someone with experience with this type of setup could advise, please.

Re: No data can be seen from Forcepoint Firewall in Splunk Enterprise

PickleRick — Mon, 25 Oct 2021 14:07:14 GMT

Ahh, it seems you're not using the Splunk-provided Add-On which parses the syslog data, but some Forcepoint-supplied solution with a complete docker image containing universal forwarder. Well, that's an ugly solution if you ask me, because you don't know much what's going on inside that docker image.

Your index indeed seems to be populated with events. Check them out with searching simply for

index=forcepoint

Unfortunately, there' s not much information about this solution on the Github documentation page so it's best to start with https://forcepoint.github.io/docs/ngfw_and_splunk/#check-all-components-are-configured-and-running-properly

Re: No data can be seen from Forcepoint Firewall in Splunk Enterprise

lzahariev — Mon, 25 Oct 2021 14:28:54 GMT

A-ha! OK that's better! So I've searched for 'index="forcepoint"' in the Search & Reporting App and can see data, but it seems bogus, as host=IP.addr.of.SMC, source=tcp:19997, sourcetype=key-value pairs, and that is if I have the Table view selected. If I have the List view selected, I can see more relevant data related what we need...

I have a feeling that we haven't configured Splunk Ent. to break the event data accordingly. The data seems to arrive in a .xml format, as configured on the SMC server:
SYSLOG_CONF_FILE=<smc_install_dir>/data/fields/syslog_templates/fp-smc-log-fields-v1.xml

I have also changed the sourcetype from 'key-value pairs' to 'syslog', so we'll just have to test and advise back. Alternatively if that doesn't work, I'll try the 'next-generation-firewall' in the sourcetype and give it a second try.

Will let you know, thanks for now!

If you have any other thoughts to share in the meanwhile, please let us know, it would be very much appreciated!

Re: No data can be seen from Forcepoint Firewall in Splunk Enterprise

PickleRick — Mon, 25 Oct 2021 14:37:59 GMT

Well, configuration on splunk side should not normally be needed since here https://forcepoint.github.io/docs/ngfw_and_splunk/#setup-forcepoint-app-inside-splunk you're coppying an app into splunk's configuration directory so it should contain all appropriate parsing rules. And the UF included in the docker image should set a proper sourcetype/index on forwarded data.

Re: No data can be seen from Forcepoint Firewall in Splunk Enterprise

lzahariev — Tue, 26 Oct 2021 14:52:10 GMT

Hi!

Just for the record, we've made progress, whereby we've changed the value of 'LINE_BREAKER = ' from the default '([\r\n]+)' to '<record>' in the $SPLUNK_HOME/etc/system/local/props.conf file, because the indexer could not seem to parse the incoming .xml data, as configured in that format on the Forecepoint SMC.

The above was determined from this article:
https://community.splunk.com/t5/Dashboards-Visualizations/How-to-do-event-break-for-XML-file-like-this/m-p/383203

Now we can see event data in the Splunk Ent. Web UI > Apps > Forcepoint, which we couldn't before, but in the Search & Reporting app the event data still cannot seem to be broken into columns if changed to Table view - not sure if that's how data is supposed to be displayed in the first place...

Thanks for your input PickleRick! Much appreciated!

Regards,
Lubo