All Apps and Add-ons

Use Splunk Listener Instead of Syslog File?

wbkendall
Explorer

I have a single remote device I want to monitor and Splunk running on Windows. I set up a UDP listener in Splunk for port 514 and pointed the single remote device to the Splunk machine. I can see that Splunk is logging this data correctly.

This application is not seeing this data, however, and I'm pretty sure it's because the instructions tell you to point the app to the log files for syslog.

Can I set this application up to just use the data that's coming in through the Splunk listener I've already set up? If not, can I set the listener up to write its data out to a file that I can then point this application to?

Thanks!

0 Karma
1 Solution

jbrodsky_splunk
Splunk Employee
Splunk Employee

My guess is that the sourcetype for your syslog data is set to some default (i.e. "syslog") and your index that it is going into is also default ("main").

Looking at the app, it assumes that the data is being sourcetyped with a certain name, and that the index the data is going into is specific as well.

If you sourcetype the data as iptables_source, and create a index called iptables_index, and then configure Splunk as a syslog listener on UDP 514, but set the sourcetype as iptables_source and the destination as iptables_index, your app's dashboards should populate.

View solution in original post

jbrodsky_splunk
Splunk Employee
Splunk Employee

My guess is that the sourcetype for your syslog data is set to some default (i.e. "syslog") and your index that it is going into is also default ("main").

Looking at the app, it assumes that the data is being sourcetyped with a certain name, and that the index the data is going into is specific as well.

If you sourcetype the data as iptables_source, and create a index called iptables_index, and then configure Splunk as a syslog listener on UDP 514, but set the sourcetype as iptables_source and the destination as iptables_index, your app's dashboards should populate.

jbrodsky_splunk
Splunk Employee
Splunk Employee

Time to learn about the "nullQueue" capability. (google Splunk nullQueue.) You will write a regex to match the DHCP messages, and send them to the nullQueue, so that they do not get indexed. But do you really want to drop those DHCP messages? I use them on my home router to determine what MAC addresses are on my network (usual ones and rare ones). I correlate them with a mac-to-vendor lookup table to know more about what kind of devices are on the network. And since my kids nanny's iPhone attaches to my network at the same time daily, I can use Splunk to prove that she was on time. Or not. 🙂

0 Karma

wbkendall
Explorer

So... it appears to be working now. The Source IP shows correct values, but the router's sending everything to Splunk, including things like DHCP events. Any easy way to set it up to only parse firewall events and ignore everything else? Thanks!

0 Karma

wbkendall
Explorer

I've set it up like you recommend but I have apparently indexed my limit today, so I'll check it tomorrow and provide feedback.

Thanks!

0 Karma

grijhwani
Motivator

I can only offer tangential advice.

If this were a Linux (or similar system), the thing to do would be run the syslog service and have Splunk sweep it, at the file level. There is a product called syslog-ng which offers a syslog service but allows for extended handling of the the syslogged events (extra time-stamping, segregation of different content into separate log files, etc.). I think you will find there is a version for Windows. You could set that up as a service, and then pull the log files into Splunk and any other analysis tool you wanted. Probably easier than reconstructing output from Splunk.

0 Karma

wbkendall
Explorer

Thanks for the response.

If I were going to have to go that route I may as well set up Splunk in a virtual machine running Linux on my Windows box. The goal was to minimize log loss when the Windows box is rebooted, however. Syslog-ng has a Win client if you buy the Premium edition.

This is all for a home PC and a home firewall. We're going to be installing Splunk at work and I need to get my hands dirty first. 🙂

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...