topic Re: Sending Logs with SYSLOG in Installation

How to send Logs with SYSLOG?

SplunkDash — Fri, 18 Feb 2022 16:42:17 GMT

Hello,

We have some appliances data/logs, require me to send/receive those logs with SYSLOG. I have a server to receive those logs and I also know we need to use TCP/UDP port. How would I proceed? What else I need to have, and those logs need to have any specific format? Any help/recommendations will be highly appreciated.

Thank you so much!

Re: Sending Logs with SYSLOG

gcusello — Fri, 18 Feb 2022 16:41:52 GMT

Hi @SplunkDash,

you have to follow the instructions at https://docs.splunk.com/Documentation/Splunk/latest/Data/Monitornetworkports

in few words, you have to:

choose a port on your sender (some systems can send logs only on port 514)
choose a protocol on your sender (TCP ot UDP),
check the routes between sender and receiver for that protocol and that port,
enable on your Splunk receiver a network input [Settings -- Inputs -- Network inouts]
associate to the network input:
- port,
- protocol,
- sourcetype (it depends on the logs you're ingesting),
- index (where you want to store the logs),
- host (the hostname or the IP address of the source),
- source (the source name),
enable on your sender the log sending.

searching on Splunk "index=your_index host=your_host", you can check if you're receiving logs.

It's also useful to use the Splunk Connect for Syslog App (https://splunkbase.splunk.com/app/4740/) that helps you in syslog ingestion.

About format, it depends on the specific kind of logs, it's useful to use a Technical Add-On for the technology you're using that you can find at apps.splunk.com.

Ciao.

Giuseppe

Re: Sending Logs with SYSLOG

SplunkDash — Fri, 18 Feb 2022 17:01:56 GMT

Hello,

Thank you so much, appreciated your support in these efforts. I have a couple of questions

* sourcetype (it depends on the logs you're ingesting) ....what does mean by "depends on log types" here.....you meant.......we need to assign source type based on data format.

* Do we need to assign Port at the receiving end as well....?

Re: Sending Logs with SYSLOG

gcusello — Fri, 18 Feb 2022 17:11:34 GMT

Hi @SplunkDash,

this means that, if you're ingesting checkpoint logs, you have to install in the Splunk server you're using for syslog capture (usually Heavy Forwarders) a Technical Add-On (called usually TA) that you can download from apps.splunk.com.

If there isn't a TA for your technology, you have to manually build your TA for parse your logs.

Sourcetype doesn't depends on the data format but on the source technology you're ingesting.

The port to assing in the Data Input must be the same that you have in the source system, by default 514.

Ciao.

Giuseppe

Re: How to send Logs with SYSLOG?

rh71rdu — Mon, 18 Jul 2022 21:09:20 GMT

Hi, I'm trying to connect my router's syslog to Splunk enterprise on my Mac as a "hello world," to see Splunk in action.

I have installed Splunk>enterprise and started that successfully. I opened 127.0.0.1:8000 and added a UDP data input with port 514 and a source type "syslog". It is enabled.

On my router I have logged in and configured the syslog to be sent to my mac's internal ip address 192.168.1.244:514 (the one on ethernet, all other network cards on this mac are down) with log level L0--Emergency.

I know UDP isn't perfect and drops packets but my Mac is up continuously and I expected this to send all logs to my Mac port 514 to be captured by Splunk enterprise that is running.

However in Splunk I am only getting a 2 events (found by searching for the number "0"). 14 devices are on my network (including iPhones, iPads, Macs, windows, watch, HomePods, as well as some iot devices like a Blink! camera hub with 4 cameras.) so I would expect a lot of traffic on the syslog

Do you have any suggestions as to how to see more (or generate more) in the log... I was hoping to check email on my iPhone or do a google search and see some connections to the server.

Re: How to send Logs with SYSLOG?

gcusello — Tue, 19 Jul 2022 06:39:34 GMT

Hi @rh71rdu,

as you said UDP isn't the best way to send data, but anyway, maybe your pc is overbooked and there's a queue problem.

Anyway, analyzing point by point:

the connection is active, infact you're receiving data,
if you don't receive data from another device, check the connection by telnet,
check the traffic on your pc (tcpdump),
what is the configuration of your pc? rememeber that Splunk Enterprise requires a lot of resources,
try to use different ports for different sources.

Ciao.

Giuseppe

P.S.: Karma Points are appreciated 😉

Re: Sending Logs with SYSLOG

gcusello — Fri, 22 Jul 2022 08:29:26 GMT

Hi @SplunkDash,

as I said, if you're using a standard TA (from Splunkbase), you have to assign a specific sourcetype to your logs that is specific for the kind of your logs, e.g.cisco:asa is mandatory in this format and different than cisco-asa, otherwise the transformations a parsing actions will not be delivered.

If you see in the inputs.conf, you have to define the port to use for logs receiving and it must be the same in source configuration: in Splunk this port is configurable, instead not all the appliances can choose the port to use, anyway, obviously it must be the same in source and receiver.

Ciao.

Giuseppe

Re: Sending Logs with SYSLOG

SplunkDash — Sun, 24 Jul 2022 00:26:23 GMT

Hello @gcusello

Would it be possible to have some details on SPLUNK default 8000, 8089, and 9997 ports. I know 8000 is a web port, 8089 is management, and 9997 is for data receiving/forwarding. But it would be great if you are kind enough to have more details on those ports. Thank you so much and appreciate your support in these efforts.

Re: Sending Logs with SYSLOG

SplunkDash — Sun, 24 Jul 2022 00:24:59 GMT

Hello @gcusello.

I am extremely sorry, there was a typo in my last message, my sincere apologies! Now resending that message again. Thank you!

Would it be possible to have some details on SPLUNK default 8000, 8089, and 9997 ports? I know 8000 is a web port, 8089 is management, and 9997 is for data receiving/forwarding. But it would be great if you are kind enough to have more details on those ports. Thank you so much and appreciate your support in these efforts.

Re: Sending Logs with SYSLOG

gcusello — Sun, 24 Jul 2022 06:38:56 GMT

Hi @SplunkDash,

Sorry, but I don't understand which kind of datails you wait, anyway, here you can find a description of all ports used by Splunk: https://community.splunk.com/t5/Deployment-Architecture/Diagram-of-Splunk-Common-Network-Ports/m-p/116657

Ciao.

Giuseppe

Re: Sending Logs with SYSLOG

SplunkDash — Sun, 24 Jul 2022 20:27:28 GMT

Hello @gcusello,

Sorry not that detailed on my previous Email.

Actually, I meant, when should we use each of those ports? Thank you so much again.

Re: Sending Logs with SYSLOG

gcusello — Mon, 25 Jul 2022 06:58:42 GMT

Hi @SplunkDash,

as you can read in the above link, it depends on what you want to do:

to access GUI interface, you use port 8000,
to send data 9997,
etc...

If you haven't any special request (e.g. having both forwarders with and without SSL), my hint is to use the default ports.

It's the same thing when you study operative system ports, You have to know that there are these ports and that you can use them for a purpose.

Ciao.

Giuseppe

Re: Sending Logs with SYSLOG

SplunkDash — Fri, 05 Aug 2022 15:45:13 GMT

Hello @gcusello,

I have a general question on using TA available in SPLUNKBASE.

What is the best practice to bring the data in: Use TA if possible if possible Or use Splunk agents (UF/HF, REST API, HEC); why? Any detail would be highly appreciated. Thank you so much as always.

Re: Sending Logs with SYSLOG

gcusello — Fri, 05 Aug 2022 15:53:02 GMT

Hi @SplunkDash,

this is a different question and I hint to create a new one so more people can answer quicker and probably better than me.

Anyway, if possible use always Universal Forwarder to take logs, because in this way you have many advantages (caching in fail lover, autoloadbalancing, bandwidth optimization, etc...)

REST API are usually used for special Use Cases (e.g. extraction of data from external systems (e.g. cloud environments).

HEC is used for applications.

Syslog is used when you haven't other opportunities and usually from appliances that are closed and not modifiable.

At least, use WMI only when you haven't any other way to extract logs from Windows, and possibly avoid it!

Anyway, Splunkbase's TAs are used not only to input data but also to parse them, infact they are used on Forwarders but also on Indexers and Search Heads.

Ciao.

Giuseppe