All Apps and Add-ons

Great Bay Software for Splunk: Are there any installation or configuration instructions available for this app?

n_charpentier
New Member

Hello-

Are there any Installation / Configuration instructions available for the Great Bay Software app? I have installed the app (including the TA app) and configured the input for TCP port 514, verified the syslog messages coming to the server which Splunk Enterprise is installed on via pcap, but am not seeing any data populated within the Great Bay Software app.

Any assistance would be greatly appreciated!

Thank you,
-Nick

0 Karma

mdessus_splunk
Splunk Employee
Splunk Employee

Hello,

you need to set the sourcetype of your data as greatbay:beacon

For example if your greatbay data is received at tcp port 514, your need to have a inputs.conf like this:

[tcp://:514] 
sourcetype = greatbay:beacon

If the sourcetype is correctly set, please put a few examples of your logs as saw by Splunk (and if possible your GreatBay version).

0 Karma

n_charpentier
New Member

Hello mdessus-

Thank you for the quick response!

I have configured (via the UI) the TCP and UDP inputs as follows:

alt text

I am using Great Bay version 5.0.0_build32, (newest version).

Syslog message example:

AUTHPRIV.ALERT: Sep 28 21:41:54 beacon[834]: Alarm Profile Event. Event Name: [ROGUE_DEVICE_DETECTED] Switch/port: 0.0.0.0(0) Profile: (GBS_ROGUE_DEVICE) MAC: (e0:3f:49:c8:de:f9) Old Profile: ((null)) End node: e0:3f:49:c8:de:f9(0.0.0.0)

0 Karma

mdessus_splunk
Splunk Employee
Splunk Employee

Humm... why the hell do you have the facility and severity at the begining of your log (AUTHPRIV.ALERT) ?
Is this what your Splunk is receiving ? Can you share your syslogd config on your Great Bay device (I assume that in version 5 you must still configure it in the syslogd config file) ?

0 Karma

n_charpentier
New Member

My apologies, I quickly grabbed that off a pcap on the machine in which Splunk is installed. The (AUTHPRIV.ALERT) should not be present, moving to fast....

That being said, I have not seen any data within Splunk itself (I am also new to using Splunk, so please excuse my lack of knowledge there).

The only modifications made on the Great Bay side was to the syslog.conf (etc/syslog.conf) file to define the destination of the syslog server (Splunk).

0 Karma

mdessus_splunk
Splunk Employee
Splunk Employee

Ah, you don't see any data at all in Splunk ? Even when looking for * ?
Let's discuss this offline (I'll contact you by mail).

0 Karma

n_charpentier
New Member

That is correct, no data in Splunk. Email / phone would be greatly appreciated, thank you!

0 Karma

n_charpentier
New Member

Message appears as follows:

Sep 28 21:41:54 beacon[834]: Alarm Profile Event. Event Name: [ROGUE_DEVICE_DETECTED] Switch/port: 0.0.0.0(0) Profile: (GBS_ROGUE_DEVICE) MAC: (e0:3f:49:c8:de:f9) Old Profile: ((null)) End node: e0:3f:49:c8:de:f9(0.0.0.0)

0 Karma
Get Updates on the Splunk Community!

Exporting Splunk Apps

Join us on Monday, October 21 at 11 am PT | 2 pm ET!With the app export functionality, app developers and ...

Cisco Use Cases, ITSI Best Practices, and More New Articles from Splunk Lantern

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Build Your First SPL2 App!

Watch the recording now!.Do you want to SPL™, too? SPL2, Splunk's next-generation data search and preparation ...