Hello,
Myself and another gentleman have been tasked to integrate NSX-T TLS log forwarding to Splunk. Is there a list of exact instructions or a white paper showing how to accomplish this? Do we need to have our purchasing folks reach out for support as well?
Very respectfully,
James
There are a few ways to onboard data into Splunk.
Install a universal forwarder on the server to send log files to Splunk
Have the server send syslog data to Splunk via a syslog server or Splunk Connect for Syslog
Use the server's API to extract data for indexing
Use Splunk DB Connect to pull data from the server's SQL database.
Have the application send data directly to Splunk using HTTP Event Collector (HEC).
My friend Google says NSX-T can send its logs via syslog so that option may work for you.
If you run NSX-T on VMware then consider the VMware NSX-T Splunk App (https://splunkbase.splunk.com/app/4241)
Somewhat.
I am already familiar with the universal forwarder. In this case, it's very specific. We need to have NSX-T use TLS to send its logs to Splunk. And yes, I have been researching and reading individual blogs and sites.
Very respectfully,
James
Syslog-ng can be configured to accept syslog over TLS. See https://www.syslog-ng.com/technical-documents/doc/syslog-ng-open-source-edition/3.16/administration-.... Once the data has been received and saved on the syslog server, a UF can be used to forward the data to Splunk over a TLS-protected session. See https://docs.splunk.com/Documentation/Splunk/9.0.2/Security/AboutsecuringyourSplunkconfigurationwith...
Hi
there seems to be a NSX-T app which maybe can use for ingesting data in and show it. See https://splunkbase.splunk.com/app/4241. What I don't like it, is that it use separate IP listener on Splunk node to get data in. Must better way is to use separate syslog server for it. I haven't check if you can also use Splunk Add-on for VMware https://splunkbase.splunk.com/app/3215.
r. Ismo
We will be using the Splunk add-on from VMWare.
I am just trying to wrap my head around the certs to do this. I understand from the VMWare pages what our guys have to do at the command line to enable the TLS protocol and what certs to send. (As well as what logging will be sent.)
I know from the Splunk notes that the three certs to be sent will be combined on the Splunk side and in what order they need to be done. I am just still a little confused as to how on the Splunk side, the VMWare add-on will be using that combined cert.
Very respectfully,
James
Hey there.
I do appreciate the reply. As I said, we need to have the NSX-T use TLS to forward the logs to Splunk.
Very respectfully,
James