All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Great Bay Software for Splunk: Are there any installation or configuration instructions available for this app?

n_charpentier
New Member
‎09-28-2016 07:30 AM

Hello-

Are there any Installation / Configuration instructions available for the Great Bay Software app? I have installed the app (including the TA app) and configured the input for TCP port 514, verified the syslog messages coming to the server which Splunk Enterprise is installed on via pcap, but am not seeing any data populated within the Great Bay Software app.

Any assistance would be greatly appreciated!

Thank you,
-Nick

0 Karma
Reply

mdessus_splunk
Splunk Employee
Splunk Employee
‎09-28-2016 09:13 AM

Hello,

you need to set the sourcetype of your data as greatbay:beacon

For example if your greatbay data is received at tcp port 514, your need to have a inputs.conf like this:

[tcp://:514] 
sourcetype = greatbay:beacon

If the sourcetype is correctly set, please put a few examples of your logs as saw by Splunk (and if possible your GreatBay version).

0 Karma
Reply

n_charpentier
New Member
‎09-28-2016 02:44 PM

Hello mdessus-

Thank you for the quick response!

I have configured (via the UI) the TCP and UDP inputs as follows:

alt text

I am using Great Bay version 5.0.0_build32, (newest version).

Syslog message example:

AUTHPRIV.ALERT: Sep 28 21:41:54 beacon[834]: Alarm Profile Event. Event Name: [ROGUE_DEVICE_DETECTED] Switch/port: 0.0.0.0(0) Profile: (GBS_ROGUE_DEVICE) MAC: (e0:3f:49:c8:de:f9) Old Profile: ((null)) End node: e0:3f:49:c8:de:f9(0.0.0.0)

Preview file
1 KB
0 Karma
Reply

mdessus_splunk
Splunk Employee
Splunk Employee
‎09-28-2016 03:16 PM

Humm... why the hell do you have the facility and severity at the begining of your log (AUTHPRIV.ALERT) ?
Is this what your Splunk is receiving ? Can you share your syslogd config on your Great Bay device (I assume that in version 5 you must still configure it in the syslogd config file) ?

0 Karma
Reply

n_charpentier
New Member
‎09-28-2016 03:34 PM

My apologies, I quickly grabbed that off a pcap on the machine in which Splunk is installed. The (AUTHPRIV.ALERT) should not be present, moving to fast....

That being said, I have not seen any data within Splunk itself (I am also new to using Splunk, so please excuse my lack of knowledge there).

The only modifications made on the Great Bay side was to the syslog.conf (etc/syslog.conf) file to define the destination of the syslog server (Splunk).

0 Karma
Reply

mdessus_splunk
Splunk Employee
Splunk Employee
‎09-28-2016 03:38 PM

Ah, you don't see any data at all in Splunk ? Even when looking for * ?
Let's discuss this offline (I'll contact you by mail).

0 Karma
Reply

n_charpentier
New Member
‎09-28-2016 03:43 PM

That is correct, no data in Splunk. Email / phone would be greatly appreciated, thank you!

0 Karma
Reply

n_charpentier
New Member
‎09-28-2016 03:36 PM

Message appears as follows:

Sep 28 21:41:54 beacon[834]: Alarm Profile Event. Event Name: [ROGUE_DEVICE_DETECTED] Switch/port: 0.0.0.0(0) Profile: (GBS_ROGUE_DEVICE) MAC: (e0:3f:49:c8:de:f9) Old Profile: ((null)) End node: e0:3f:49:c8:de:f9(0.0.0.0)

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...