All Apps and Add-ons

How can I monitor TMG logs?

Builder

Hi

I have to monitor TMG logs in the path D:\tmglogs. I have to separate the logs by sourcetypes, if it has FWS its firewall and WEB its proxy. What changes are to be made in input.conf to get the two sourcetypes based on the filename?
And the new files are created daily, how can I monitor only the files created today?

D:\tmglogs\ISALOG_20161006_FWS_000.w3c
D:\tmglogs\ISALOG_20161005_WEB_000.w3c

current configuration in input.conf:

Forefront TMG Firewall logs

Modify paths to fit your needs

[monitor://D:\tmglogs*.w3c]
sourcetype = microsoft:forefront:tmg:fw
index=tmg

Forefront TMG Proxy logs

Modify paths to fit your needs

[monitor://D:\tmglogs*.w3c]]

sourcetype = microsoft:forefront:tmg:proxy

0 Karma
1 Solution

Motivator
#Forefront TMG Firewall logs
# Modify paths to fit your needs
[monitor://D:\tmglogs\ISALOG_*_FWS_000.w3c]
sourcetype = microsoft:forefront:tmg:fw
ignoreOlderThan = 24h
index=tmg

#Forefront TMG Proxy logs
# Modify paths to fit your needs
[monitor://D:\tmglogs\ISALOG_*_WEB_000.w3c]
sourcetype = microsoft:forefront:tmg:proxy
ignoreOlderThan = 24h
index=tmg

I believe that should work

View solution in original post

Motivator
#Forefront TMG Firewall logs
# Modify paths to fit your needs
[monitor://D:\tmglogs\ISALOG_*_FWS_000.w3c]
sourcetype = microsoft:forefront:tmg:fw
ignoreOlderThan = 24h
index=tmg

#Forefront TMG Proxy logs
# Modify paths to fit your needs
[monitor://D:\tmglogs\ISALOG_*_WEB_000.w3c]
sourcetype = microsoft:forefront:tmg:proxy
ignoreOlderThan = 24h
index=tmg

I believe that should work

View solution in original post

Builder

Hi, its still getting all logs under sourcetype = microsoft:forefront:tmg:fw.

0 Karma

Builder

Its working! Thanks a lot

0 Karma

Motivator

Great! If you need this to be CIM compliant then get tags.conf from https://github.com/inspired/TA-Microsoft_Forefront_TMG/blob/master/default/tags.conf

I believe it is missing in the app I posted on Splunkbase. If you don't need CIM then don't bother 🙂

Please also rate the app on Splunkbase if you find it useful

0 Karma

Builder

Thanks! Any idea what kind of Dashboard's can be done with tmg logs

0 Karma

Motivator

Since the add-on is CIM compliant you can use the Web data models in the Splunk Common Information Add-on (available at Splunkbase). Enterprise Security will also be able to leverage these logs out of the box. I guess top domains, top users, top user agents etc could be interesting data to show in your dashboard

0 Karma