Hello, I configured Deep Security manager to send traffic to Splunk. I see that splunk is getting all packets on UDP port 10702, but it doesn't show in events or UI, how do I configure it to show on UI, so frustrating?
@idurrani, You're asking a new question rather than answering the one asked by the OP. Please post a new question about your problem.
The App creates 6 different syslog listeners to help differentiate events in one module from another.
10701 - Syslog UDP port for System Events
10702 - Syslog UDP port for Anti-Malware Events
10703 - Syslog UDP port for Web Reputation Events
10704 - Syslog UDP port for Firewall and IPS Events
10705 - Syslog UDP port for Integrity Monitoring Events
10706 - Syslog UDP port for Log Inspection Events
After installing the App, you just need to configure the syslog output for each of the modules within your security policy to send event data to the appropriate syslog port on your Splunk system. The easiest way is to configure the product to forward syslog output from the Deep Security Manager and not the Agents themselves to the Splunk listeners.
If you search for "syslog" or "SIEM" in the online help in Deep Security Manager, you should see instructions on how to configure the syslog settings.
Thank you Mike.
so if i am understanding it correct, we need to do the configuration on the Deep Security Manager Settings itself not on the splunk server side, right ?
where will i find those security policies you are referring - on Deep security server/splunk server/firewall?
please help me understand this.
Thanks in advance.
i checked at the system, everything seems to be in place as you suggested still logs are not coming, although they came one day but not afterwards... could you please clarity above doubts, Mike ?