https://community.splunk.com/t5/Getting-Data-In/How-to-get-Cyberoam-logs-in-splunk/m-p/369472#M93797 <OL> <LI><P>Splunk's best practice is to write the networking device's logs to a intermediary syslog server <EM>(this is to ensure continuous availability of network devices logs irrespective of availability of splunk servers)</EM> , you may use syslog-ng or rsyslog - so have a syslog server </P></LI> <LI><P>configure the cyberoam device to start sending the logs to syslog server's IP address </P></LI> <LI><P>check if the logs are being written to syslog or not</P></LI> <LI><P>if the logs are coming, then <STRONG>install the splunk universal forwarder</STRONG> on that syslog server which shall <STRONG>monitor</STRONG> these logs/directory and send them to your indexer IP on port 9997 with <STRONG>sourcetype: cyberoam &amp; Index : *custom</STRONG>*<BR /> Monitor files and directories with inputs.conf (<A href="https://docs.splunk.com/Documentation/SplunkCloud/6.6.3/Data/Monitorfilesanddirectorieswithinputs.conf">https://docs.splunk.com/Documentation/SplunkCloud/6.6.3/Data/Monitorfilesanddirectorieswithinputs.conf</A>)</P></LI> <LI><P>Install Cyberoam addon on your splunk instances for automatic field extractions</P></LI> <LI><P>search for index=* sourcetype=cyberoam </P></LI> </OL> <P>=====<BR /> Another direct approach can be - <BR /> a. configure the device to send logs directly to your indexer IP address on UDP 514 <BR /> b. have the addon installed on your instances of splunk <BR /> c. open the port UDP:514 on splunk and on your splunk server's OS firewall </P> <P>Input Type : UDP Port<BR /> Port Number : 514<BR /> Source name override : N/A<BR /> Restrict to Host : give IP of your device (1.2.3.4)<BR /> Source Type: cyberoam<BR /> App Context : search<BR /> Host : (IP address of the remote server)<BR /> Index : create new &gt; cyberoam </P> <P>d. ensure that there is no other device which might be blocking this data movement<BR /><BR /> e. search for index=* sourcetype=cyberoam </P> Mon, 27 Nov 2017 16:01:24 GMT saurabh_tek11 2017-11-27T16:01:24Z https://community.splunk.com/t5/Getting-Data-In/How-to-get-Cyberoam-logs-in-splunk/m-p/369461#M93786 <P>please help me in detail step-by step i have no idea on Cyberoam.</P> Tue, 14 Nov 2017 04:41:20 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-get-Cyberoam-logs-in-splunk/m-p/369461#M93786 V4M51 2017-11-14T04:41:20Z https://community.splunk.com/t5/Getting-Data-In/How-to-get-Cyberoam-logs-in-splunk/m-p/369462#M93787 <P>Hi</P> <P>1st you have to Add Syslog server. Which forwarded to Cyberom log to the splunk server. This is Cyberom side configuration. Check below link for more info.</P> <P><A href="https://kb.cyberoam.com/default.asp?id=396">https://kb.cyberoam.com/default.asp?id=396</A></P> <P>2nd Splunk side configuration. You have to do configuration to get data from TCP and UDP ports.<BR /> Check below link for more info.</P> <P><A href="https://docs.splunk.com/Documentation/SplunkCloud/6.6.3/Data/Monitornetworkports">https://docs.splunk.com/Documentation/SplunkCloud/6.6.3/Data/Monitornetworkports</A></P> <P>3rd for field extraction download Cyberoam TA from Splunkbase and install into Splunk instance.</P> <P>TA URL:</P> <P><A href="https://splunkbase.splunk.com/app/3126/">https://splunkbase.splunk.com/app/3126/</A></P> <P>I hope this information will help you.</P> <P>Thanks</P> Tue, 14 Nov 2017 13:01:03 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-get-Cyberoam-logs-in-splunk/m-p/369462#M93787 kamlesh_vaghela 2017-11-14T13:01:03Z https://community.splunk.com/t5/Getting-Data-In/How-to-get-Cyberoam-logs-in-splunk/m-p/369463#M93788 <P>Hi @V4M51,</P> <P>Have you tried?</P> <P>Thanks</P> Sat, 18 Nov 2017 17:16:37 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-get-Cyberoam-logs-in-splunk/m-p/369463#M93788 kamlesh_vaghela 2017-11-18T17:16:37Z https://community.splunk.com/t5/Getting-Data-In/How-to-get-Cyberoam-logs-in-splunk/m-p/369464#M93789 <P>@V4M51 If this answer helped you resolve your problem, please click the Accept button. If you need additional help, please ask!</P> <P>@kamlesh_vaghela, I've converted this to an answer because I think it deserves to be one. </P> <P>Happy Splunking,<BR /> -Rich</P> Sun, 19 Nov 2017 14:47:00 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-get-Cyberoam-logs-in-splunk/m-p/369464#M93789 Richfez 2017-11-19T14:47:00Z https://community.splunk.com/t5/Getting-Data-In/How-to-get-Cyberoam-logs-in-splunk/m-p/369465#M93790 <P>i followed these steps and after this , goto search &amp; reporting in splunk , clicked on data summary ,but its only showing waiting for result, what is the problem ?, please help me</P> Mon, 27 Nov 2017 10:11:54 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-get-Cyberoam-logs-in-splunk/m-p/369465#M93790 haseenhussain 2017-11-27T10:11:54Z https://community.splunk.com/t5/Getting-Data-In/How-to-get-Cyberoam-logs-in-splunk/m-p/369466#M93791 <P>in which index/sourcetype your data is coming?<BR /> Cyberoam TA using <CODE>cyberoam</CODE> sourcetype.</P> <P>Can you please check any data coming to splunk?</P> Mon, 27 Nov 2017 11:56:25 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-get-Cyberoam-logs-in-splunk/m-p/369466#M93791 kamlesh_vaghela 2017-11-27T11:56:25Z https://community.splunk.com/t5/Getting-Data-In/How-to-get-Cyberoam-logs-in-splunk/m-p/369467#M93792 <P>no data is coming from cyberoam to splunk</P> Mon, 27 Nov 2017 12:44:03 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-get-Cyberoam-logs-in-splunk/m-p/369467#M93792 haseenhussain 2017-11-27T12:44:03Z https://community.splunk.com/t5/Getting-Data-In/How-to-get-Cyberoam-logs-in-splunk/m-p/369468#M93793 <P>Hi<BR /> Can you please share implementation steps you did? like, how you forward cyberoam data to splunk,.. etc,.</P> Mon, 27 Nov 2017 13:10:06 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-get-Cyberoam-logs-in-splunk/m-p/369468#M93793 kamlesh_vaghela 2017-11-27T13:10:06Z https://community.splunk.com/t5/Getting-Data-In/How-to-get-Cyberoam-logs-in-splunk/m-p/369469#M93794 <P>in cyberoam ,<BR /> logs&amp; reports-conf-syslog ser-add-<BR /> name-<BR /> ip/domain:- ip of pc(splunk installed pc)<BR /> port:-tcp 1024</P> Mon, 27 Nov 2017 13:17:52 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-get-Cyberoam-logs-in-splunk/m-p/369469#M93794 haseenhussain 2017-11-27T13:17:52Z https://community.splunk.com/t5/Getting-Data-In/How-to-get-Cyberoam-logs-in-splunk/m-p/369470#M93795 <P>and i also check port in my windows system but its only <BR /> showing "listening"</P> Mon, 27 Nov 2017 13:40:05 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-get-Cyberoam-logs-in-splunk/m-p/369470#M93795 haseenhussain 2017-11-27T13:40:05Z https://community.splunk.com/t5/Getting-Data-In/How-to-get-Cyberoam-logs-in-splunk/m-p/369471#M93796 <OL> <LI>Is that data reaching to syslog server ?</LI> <LI>If yes, share your inputs.conf stanza where you are monitoring these logs</LI> <LI><P>if no, check if the syslog configuration is correct / if there is any other device which might be blocking the incoming data to syslog. </P></LI> <LI><P>if data is coming to syslog but not monitored by splunk then apparently your inputs stanza has area of improvement or local machine's OS firewall (where splunk is installed) that port is closed. </P></LI> </OL> <P>Thanks. - Saurabh</P> Mon, 27 Nov 2017 15:18:05 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-get-Cyberoam-logs-in-splunk/m-p/369471#M93796 saurabh_tek11 2017-11-27T15:18:05Z https://community.splunk.com/t5/Getting-Data-In/How-to-get-Cyberoam-logs-in-splunk/m-p/369472#M93797 <OL> <LI><P>Splunk's best practice is to write the networking device's logs to a intermediary syslog server <EM>(this is to ensure continuous availability of network devices logs irrespective of availability of splunk servers)</EM> , you may use syslog-ng or rsyslog - so have a syslog server </P></LI> <LI><P>configure the cyberoam device to start sending the logs to syslog server's IP address </P></LI> <LI><P>check if the logs are being written to syslog or not</P></LI> <LI><P>if the logs are coming, then <STRONG>install the splunk universal forwarder</STRONG> on that syslog server which shall <STRONG>monitor</STRONG> these logs/directory and send them to your indexer IP on port 9997 with <STRONG>sourcetype: cyberoam &amp; Index : *custom</STRONG>*<BR /> Monitor files and directories with inputs.conf (<A href="https://docs.splunk.com/Documentation/SplunkCloud/6.6.3/Data/Monitorfilesanddirectorieswithinputs.conf">https://docs.splunk.com/Documentation/SplunkCloud/6.6.3/Data/Monitorfilesanddirectorieswithinputs.conf</A>)</P></LI> <LI><P>Install Cyberoam addon on your splunk instances for automatic field extractions</P></LI> <LI><P>search for index=* sourcetype=cyberoam </P></LI> </OL> <P>=====<BR /> Another direct approach can be - <BR /> a. configure the device to send logs directly to your indexer IP address on UDP 514 <BR /> b. have the addon installed on your instances of splunk <BR /> c. open the port UDP:514 on splunk and on your splunk server's OS firewall </P> <P>Input Type : UDP Port<BR /> Port Number : 514<BR /> Source name override : N/A<BR /> Restrict to Host : give IP of your device (1.2.3.4)<BR /> Source Type: cyberoam<BR /> App Context : search<BR /> Host : (IP address of the remote server)<BR /> Index : create new &gt; cyberoam </P> <P>d. ensure that there is no other device which might be blocking this data movement<BR /><BR /> e. search for index=* sourcetype=cyberoam </P> Mon, 27 Nov 2017 16:01:24 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-get-Cyberoam-logs-in-splunk/m-p/369472#M93797 saurabh_tek11 2017-11-27T16:01:24Z