All Apps and Add-ons

Dell Sonicwall Analytics: How to modify the sonicwall_firewalls.csv file, and is there a version of the app to configure with Splunk 6.3?

skender27
Contributor

Hi,

I installed the app and followed all the instructions to configure it with the IPFix (put settings also from the only one firewall server), but still is not working (I get no events from the index=sonicwall).
I am really interested in this app, but specifically I do not understand what to insert in the sonicwall_firewalls.csv instead of the host IP of the firewall server?
I mean; where do I tell the app to pull data from the firewall IP adress?
Could you help me resolve this? (I use Splunk 6.2 installed in Windows and I opened also the necessary ports UDP)

Thanks,
Skender

0 Karma
1 Solution

skender27
Contributor

As far as I understand the things to set are:
ipfix collector go to index=sonicwall and syslog (from port udp 514) go to sonicwall_syslog index.
Below you see the inputs.conf and index.conf

Following the procedure of the app, set port 2055 for sourcetype=dell_ipfix and index=sonicwall

[sonicwall]
coldPath = $SPLUNK_DB\sonicwall\colddb
homePath = $SPLUNK_DB\sonicwall\db
maxTotalDataSizeMB = 50000
thawedPath = $SPLUNK_DB\sonicwall\thaweddb

[sonicwall_syslog]
coldPath = $SPLUNK_DB\sonicwall_syslog\colddb
homePath = $SPLUNK_DB\sonicwall_syslog\db
maxTotalDataSizeMB = 50000
thawedPath = $SPLUNK_DB\sonicwall_syslog\thaweddb

For syslog receiving in Splunk: index=sonicwall_syslog, UDP port 514 (added as the Input Network port)

[udp://514]
connection_host = ip
index = sonicwall_syslog
sourcetype = syslog

View solution in original post

0 Karma

skender27
Contributor

As far as I understand the things to set are:
ipfix collector go to index=sonicwall and syslog (from port udp 514) go to sonicwall_syslog index.
Below you see the inputs.conf and index.conf

Following the procedure of the app, set port 2055 for sourcetype=dell_ipfix and index=sonicwall

[sonicwall]
coldPath = $SPLUNK_DB\sonicwall\colddb
homePath = $SPLUNK_DB\sonicwall\db
maxTotalDataSizeMB = 50000
thawedPath = $SPLUNK_DB\sonicwall\thaweddb

[sonicwall_syslog]
coldPath = $SPLUNK_DB\sonicwall_syslog\colddb
homePath = $SPLUNK_DB\sonicwall_syslog\db
maxTotalDataSizeMB = 50000
thawedPath = $SPLUNK_DB\sonicwall_syslog\thaweddb

For syslog receiving in Splunk: index=sonicwall_syslog, UDP port 514 (added as the Input Network port)

[udp://514]
connection_host = ip
index = sonicwall_syslog
sourcetype = syslog
0 Karma

skender27
Contributor

When I run the search firewall to generate the sonicwall hostnames (I changed also the second occurrence of the name in the .csv file) I get results only from my own local machine...
It seeems that Splunk is not receiving data from the sonicwall server! How can I check this?

Skender

0 Karma

skender27
Contributor
host,"firewall_hostname"
"localhost:2055","localhost:2055"
"1.2.3.4","from_sonicwall_server"

After I edited the .csv file, I re-executed the search and now I get the result as you see,
where localhost:2055 is my local machine and the (sample) server 1.2.3.4 is where Sonicwall is running...

0 Karma
Get Updates on the Splunk Community!

Devesh Logendran, Splunk, and the Singapore Cyber Conquest

At this year’s Splunk University, I had the privilege of chatting with Devesh Logendran, one of the winners in ...

There's No Place Like Chrome and the Splunk Platform

WATCH NOW!Malware. Risky Extensions. Data Exfiltration. End-users are increasingly reliant on browsers to ...

Customer Experience | Join the Customer Advisory Board!

Are you ready to take your Splunk journey to the next level? 🚀 We invite you to join our elite squad ...