Are there any Installation / Configuration instructions available for the Great Bay Software app? I have installed the app (including the TA app) and configured the input for TCP port 514, verified the syslog messages coming to the server which Splunk Enterprise is installed on via pcap, but am not seeing any data populated within the Great Bay Software app.
Any assistance would be greatly appreciated!
you need to set the sourcetype of your data as greatbay:beacon
For example if your greatbay data is received at tcp port 514, your need to have a inputs.conf like this:
[tcp://:514] sourcetype = greatbay:beacon
If the sourcetype is correctly set, please put a few examples of your logs as saw by Splunk (and if possible your GreatBay version).
Thank you for the quick response!
I have configured (via the UI) the TCP and UDP inputs as follows:
I am using Great Bay version 5.0.0_build32, (newest version).
Syslog message example:
AUTHPRIV.ALERT: Sep 28 21:41:54 beacon: Alarm Profile Event. Event Name: [ROGUEDEVICEDETECTED] Switch/port: 0.0.0.0(0) Profile: (GBSROGUEDEVICE) MAC: (e0:3f:49:c8:de:f9) Old Profile: ((null)) End node: e0:3f:49:c8:de:f9(0.0.0.0)
Humm... why the hell do you have the facility and severity at the begining of your log (AUTHPRIV.ALERT) ?
Is this what your Splunk is receiving ? Can you share your syslogd config on your Great Bay device (I assume that in version 5 you must still configure it in the syslogd config file) ?
My apologies, I quickly grabbed that off a pcap on the machine in which Splunk is installed. The (AUTHPRIV.ALERT) should not be present, moving to fast....
That being said, I have not seen any data within Splunk itself (I am also new to using Splunk, so please excuse my lack of knowledge there).
The only modifications made on the Great Bay side was to the syslog.conf (etc/syslog.conf) file to define the destination of the syslog server (Splunk).
Message appears as follows:
Sep 28 21:41:54 beacon: Alarm Profile Event. Event Name: [ROGUEDEVICEDETECTED] Switch/port: 0.0.0.0(0) Profile: (GBSROGUEDEVICE) MAC: (e0:3f:49:c8:de:f9) Old Profile: ((null)) End node: e0:3f:49:c8:de:f9(0.0.0.0)
Ah, you don't see any data at all in Splunk ? Even when looking for * ?
Let's discuss this offline (I'll contact you by mail).
That is correct, no data in Splunk. Email / phone would be greatly appreciated, thank you!