topic Re: How to create Firewall Log Tracking Dashboard in Dashboards & Visualizations

How to create Firewall Log Tracking Dashboard

Schwarzkopfr — Thu, 02 Sep 2021 14:00:37 GMT

index=firewall* | table _time origin_sic_name service proto service_id src dst rule policy_name rule_name s_port action message_info xlatesrc xlatedst

Re: How to create Firewall Log Tracking Dashboard

gcusello — Thu, 02 Sep 2021 14:26:34 GMT

Hi @Schwarzkopfr,

after you runned the search, in the right high part of the search dashboard, there's the "Save As" button.

Click on it and choose Dashboard panel.

The following window, will ask you if you want a new or existing dashboard.

One final hint: when you create dashboards and other knowledge objects (fields, eventtypes, tags, etc...), don't create them in the Search and Reporting App, but create a new empty app and work inside it.

To create an app go in [Apps -- Manage Apps -- Create App].

Ciao.

Giuseppe

Re: How to create Firewall Log Tracking Dashboard

Schwarzkopfr — Thu, 02 Sep 2021 16:53:35 GMT

I have created a dashboard, and have the table view that I want, but when trying to create a search panel with dropdown I seem to bog the system down due to the large amount of data being collected from our firewalls. Is there a way to other that a Base_Search to populate my dropdowns? currently I am using | stats count as (xxx) for all of the dropdowns I have in the search panel. Any help would be appreciated.

Re: How to create Firewall Log Tracking Dashboard

PickleRick — Thu, 02 Sep 2021 19:37:26 GMT

Either use indexed fields or accelerated datamodels to be able to do quick stats. Otherwise you just have lots of data and processing it takes time (and memory).

If you just want to do simple stats from default fields (host, source, sourcetype) or just want to count all events, you can do tstats instead of stats.

Re: How to create Firewall Log Tracking Dashboard

gcusello — Fri, 03 Sep 2021 06:51:29 GMT

Hi @Schwarzkopfr,

to have a quick load of a dropdown input, you have four solutions:

if you have few static values to search, you could configure static values instead of a dynamic search;
you could use a text box that doesn't need a search;
if you have many values, you could schedule a search (e.g. every night or every hour) with only the values to use in the dropdown, saving results in a lookup and then use the lookup for your dropdown;
you could use a datamodel or a Summary index.

The last solution is usually the one used with a large amount of data (e.g. firewalls or proxies) because you can use it both for faster dropdowns and panels.

for more infos see at https://docs.splunk.com/Documentation/Splunk/8.2.2/Knowledge/Aboutdatamodels or https://docs.splunk.com/Documentation/Splunk/8.2.2/Knowledge/Usesummaryindexing

Ciao.

Giuseppe

Re: How to create Firewall Log Tracking Dashboard

Schwarzkopfr — Fri, 03 Sep 2021 13:34:45 GMT

working to create a usable tool for us to use while in a remote status that can accomplish some troubleshooting of the firewalls when other groups are having connection issues and think its a issue with our firewall. I have created a table that mimics the log tracker using index=firewall* . I have also created a search panel of dropdowns to act as a filter to easily search for specific issues like; source + destination + protocol + action., etc... with a submit button to trigger the search.

I'd prefer to keep the data fresh, maybe a six hour search window that will refresh at some interval.

Re: How to create Firewall Log Tracking Dashboard

Schwarzkopfr — Fri, 03 Sep 2021 14:07:16 GMT

Thank you for this information.

I am working to create a usable tool for us to use while working remotely that can accomplish some troubleshooting of the firewalls when other groups are having connection issues and think its a issue with our firewall.

I have created a table that mimics the log tracker view we see when we are onsite, using:

index=firewall* .

I have also created a dashboard search panel of dropdowns to act as a filter to easily search for specific issues like; source + destination + protocol + action., etc... with a submit button to trigger the search.

Would like to keep that data fresh, maybe I need to add a time picker to the search panel.

Re: How to create Firewall Log Tracking Dashboard

gcusello — Fri, 03 Sep 2021 14:12:39 GMT

Hi @Schwarzkopfr,

a Time Picker is always a good idea in your dashboards!

Anyway, take in consideration the idea of using accelerated searches or Data Models o Summary indexes: in this way you loose the real time view but you have responsee times vere very faster than normal searches.

Anyway, if you want continously updated data, you could set up an update time of 5 ore 10 minutes.

Ciao.

Giuseppe

Re: How to create Firewall Log Tracking Dashboard

Schwarzkopfr — Fri, 03 Sep 2021 14:16:43 GMT

Thank you.

Re: How to create Firewall Log Tracking Dashboard

gcusello — Fri, 03 Sep 2021 14:33:39 GMT

Hi @Schwarzkopfr.,

if this answer solves your need, please accept it for the other people of Community.

Ciao and happy splunking.

Giuseppe

P.S.: Karma Points are appreciated by all the contributors 😉

Re: How to create Firewall Log Tracking Dashboard

Schwarzkopfr — Tue, 07 Sep 2021 13:50:01 GMT

Thanks for the help, I haven't got it worked out. I'm more of a equipment maintainer and not an admin. I was just taking my best shot at creating a firewall log tracker that can be a tool when not onsite or in telework situations. this is the environment we have been in since the beginning of COVID-19. It takes me more time to figure things out because I am un familiar with the process of creating this kind of tool.