Cannot get logs from Firewall to the Splunk docker...

felipe_gonzalez · ‎10-18-2018

Hello team,

Need some help here, sure you guys are really.

White me with some inside on how I can use containers better.

Desired goal:

Get the logs from Firewall > Synology > Docker Container[splunk-splunk]

Actions Taken:

Logs are being sent out from origin: syslog server

Created an entry in the syslog server to send messages to IP:6515 (Synology DSM)

Modified port settings at Docker to have a Local port:6515 | Container port:9997

Docker bridge displays auto subnet 172.17.0/16 with gateway 172.17.0.1

Result:

At this moment I can access the Splunk web GUI under localhost:8000 with no problem, I see "ALL" logs tagged with a sourcing IP 172.17.0.1 that belongs to the bridge Gateway on the docker driver.

If the desired goal is to monitor the logs from the syslog server in a more verbose manner, how you guys advise configuring the receiving aspect of Docker (container/Splunk) to make this happen.

Log detail sample:

date_zone = local
host = 172.17.0.1
process = filterlog
source = udp:9997
sourcetype = syslog
splunk_server = 039974fdab5a
timeendpos = 15

felipe_gonzalez · ‎10-18-2018

similar question here:
https://www.experts-exchange.com/questions/29110888/Synology-and-Splunk.html

felipe_gonzalez · ‎10-18-2018

other resources previously reviewed by splunk:

https://conf.splunk.com/files/2016/slides/how-to-run-splunk-as-a-docker-image.pdf

https://conf.splunk.com/files/2017/slides/running-splunk-enterprise-within-docker.pdf

Cannot get logs from Firewall to the Splunk docker container

Unlock New Opportunities with Splunk Education: Explore Our Latest Courses!

Technical Workshop Series: Splunk Data Management and SPL2 | Register here!

Spotting Financial Fraud in the Haystack: A Guide to Behavioral Analytics with Splunk