topic Re: Logging in Splunk Enterprise in Monitoring Splunk

Logging in Splunk Enterprise

gayathrc — Mon, 13 Nov 2023 03:16:46 GMT

Hi! This is a very basic question. First time working with Splunk Enterprise Platform.

How do you actually go about switching on the feature to log network traffic coming into an internal network with a specific IP range? I essentially want for Splunk Enterprise to act as a logger for all traffic that enters the internal network on a certain port, for example. How do I go about it?

FYI - I do not want to use the Forwarder or upload log files function.

Re: Logging in Splunk Enterprise

gcusello — Mon, 13 Nov 2023 07:04:22 GMT

Hi @gayathrc ,

I suppose that you already have your Splunk infrastrcuture, if not you have to engage a splunk architect to design it.

Anyway, are you speaking of Packet capture or network switches logs?

in the first case, you have to configure The Splunk App for Steam, for more datails see at

https://splunkbase.splunk.com/app/1809

https://splunkbase.splunk.com/app/5234

https://splunkbase.splunk.com/app/5238

If instead you have to use Swirches logs, you have to configure one of the component of your Splunk infrastructure (usually an Heavy Forwarder) as receiver of network inputs (for more infos see at https://docs.splunk.com/Documentation/Splunk/9.1.1/Data/Monitornetworkports).

then you have to install the add-on related to your network technology (e.g. the Cisco Add-on for network technoogy https://splunkbase.splunk.com/app/1467) and then search for the fieds extracted.

If you don't have the basic knoledge about Splunk searching, see the Splunk Search Tutorial (https://docs.splunk.com/Documentation/Splunk/latest/SearchTutorial/WelcometotheSearchTutorial).

Ciao.

Giuseppe

Re: Logging in Splunk Enterprise

isoutamo — Mon, 13 Nov 2023 10:01:53 GMT

It's like @gcusello said, but I want to add one comment. You should never use splunk as an syslog receiver even it can do it. You will lose event more or less. It's much better to use real syslog servers to manage centralised syslog server. You you could use e.g. rsyslog, syslog-ng or SC4S (Syslog connector for splunk).

r. Ismo

Re: Logging in Splunk Enterprise

inventsekar — Mon, 13 Nov 2023 10:29:50 GMT

Hi @gayathrc ... I believe you have some network devices, you want to monitor/send the network devices logs to Splunk.

if so, you may use a syslog tool, to forward the logs to a "heavy forwarder"(HF), and then, from HF, you can send the logs to Splunk indexer.

if this is just a small POC project or use-case testing, then, you can achieve it without HF(or even without syslog)(but there will be data loss issues).

Please provide some more details about the requirements, thanks.

Re: Logging in Splunk Enterprise

gayathrc — Mon, 13 Nov 2023 15:06:56 GMT

Hi @inventsekar - you guessed it right! I'm only looking to use Splunk for a small Network Forensics project where I need to demo an attack on an internal network. For this purpose, I need to log the events and ensure that one such events sends out an Event Alert from Splunk. This will aid in investigating the attack. It's not a huge network, the project only requires about 5-6 devices in the internal network.

Re: Logging in Splunk Enterprise

inventsekar — Tue, 14 Nov 2023 00:32:29 GMT

Hi @gayathrc ...Pls check this "Getting Data in" Splunk document.. this gives the steps of monitoring a network input (TCP / UDP).

https://docs.splunk.com/Documentation/Splunk/9.1.1/Data/Monitornetworkports

upvotes / karma points appreciated, thanks.

Re: Logging in Splunk Enterprise

gcusello — Fri, 17 Nov 2023 06:21:57 GMT

Hi @gayathrc ,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated by all the contributors 😉