All Apps and Add-ons

Splunk for Cisco Firewalls TA

elusive
Splunk Employee
Splunk Employee

Quick question: I noticed here http://wiki.splunk.com/Set_up_Splunk_for_Cisco_Firewalls that set up allows the user to configure a TCP/UDP listener.

I'm interested in the reasoning for using this method of input.

Can someone point me to some info on the advantages of why we'd use port listeners instead of tailing syslog files?

0 Karma

rsennett_splunk
Splunk Employee
Splunk Employee

Hello elusive,

The TA allows for port set-up for a number of reasons, but it isn't considered an advantage nor is it the recommended setup. It is however, handy for testing when your syslog is old school (ie, not syslog-ng) and writes only to a messages file.


Yes, Splunk can listen for syslog messages via tcp or udp. It is however recommended that you resist the urge to have Splunk listen for it beyond the testing phase.

Logically there are several reasons why that particular configuration isn’t something you want to stick with in production. Let me count the ways…


  1. Single point of failure – especially with UDP

  2. There will be perfectly legit reasons for you to require a restart of the instance so the “failure” will inevitably be at your own hand.

  3. There are a few more feature rich and way cooler alternatives to syslog that don’t require that you “listen”

The recommended configuration is a dedicated rsyslog or syslog-ng server collecting data. With the lovely bells and whistles of these two more full featured products engaged you may choose to break out the various logs from the pack, write them to disk so they’re nice and safe, and install a Universal Forwarder which then handles negotiating any interruption caused by an indexer restart.

And by the phrasing of your question... it sounds like you would prefer to be set up that way in the first place... so Bravo! You're right to have questioned it... it's just an option. Not a requirement of the TA.

With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...