- Apps & Add-ons
- :
- All Apps and Add-ons
- :
- All Apps and Add-ons
- :
- How can I monitor TMG logs?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi
I have to monitor TMG logs in the path D:\tmglogs. I have to separate the logs by sourcetypes, if it has FWS its firewall and WEB its proxy. What changes are to be made in input.conf to get the two sourcetypes based on the filename?
And the new files are created daily, how can I monitor only the files created today?
D:\tmglogs\ISALOG_20161006_FWS_000.w3c
D:\tmglogs\ISALOG_20161005_WEB_000.w3c
current configuration in input.conf:
Forefront TMG Firewall logs
Modify paths to fit your needs
[monitor://D:\tmglogs*.w3c]
sourcetype = microsoft:forefront:tmg:fw
index=tmg
Forefront TMG Proxy logs
Modify paths to fit your needs
[monitor://D:\tmglogs*.w3c]]
sourcetype = microsoft:forefront:tmg:proxy
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
#Forefront TMG Firewall logs
# Modify paths to fit your needs
[monitor://D:\tmglogs\ISALOG_*_FWS_000.w3c]
sourcetype = microsoft:forefront:tmg:fw
ignoreOlderThan = 24h
index=tmg
#Forefront TMG Proxy logs
# Modify paths to fit your needs
[monitor://D:\tmglogs\ISALOG_*_WEB_000.w3c]
sourcetype = microsoft:forefront:tmg:proxy
ignoreOlderThan = 24h
index=tmg
I believe that should work
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
#Forefront TMG Firewall logs
# Modify paths to fit your needs
[monitor://D:\tmglogs\ISALOG_*_FWS_000.w3c]
sourcetype = microsoft:forefront:tmg:fw
ignoreOlderThan = 24h
index=tmg
#Forefront TMG Proxy logs
# Modify paths to fit your needs
[monitor://D:\tmglogs\ISALOG_*_WEB_000.w3c]
sourcetype = microsoft:forefront:tmg:proxy
ignoreOlderThan = 24h
index=tmg
I believe that should work
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi, its still getting all logs under sourcetype = microsoft:forefront:tmg:fw.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Its working! Thanks a lot
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Great! If you need this to be CIM compliant then get tags.conf from https://github.com/inspired/TA-Microsoft_Forefront_TMG/blob/master/default/tags.conf
I believe it is missing in the app I posted on Splunkbase. If you don't need CIM then don't bother 🙂
Please also rate the app on Splunkbase if you find it useful
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks! Any idea what kind of Dashboard's can be done with tmg logs
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Since the add-on is CIM compliant you can use the Web data models in the Splunk Common Information Add-on (available at Splunkbase). Enterprise Security will also be able to leverage these logs out of the box. I guess top domains, top users, top user agents etc could be interesting data to show in your dashboard
Enterprise Security Content Update (ESCU) | New Releases
Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?
Index This | What are the 12 Days of Splunk-mas?
