All Apps and Add-ons

data input configuration

New Member

Hello I found nowhere any readme file to configure data input. How should it be done ? Is there any setup explanation anywhere ?
Sniffing my splunk server NIC, I can see syslog packets coming in from my SOphos UTM, but no stats appear. I wonder if it may not come from data input misconfigutation ! I saw nothing on the subject !

regards

franck

Tags (1)
0 Karma

New Member

Setting the sourcetype to syslog was a big help, thank you! I found the field aliases are not working in Splunk 7.3.1. I was able to resolve many of the dashboards by changing vendor_action to action in the saved searches. Still seeing some strange behavior with blocked traffic chart and table (both are empty) although the allowed chart and table work fine. Not sure how to resolve as the search is similar in both other than the action type. Did run the search alone and the data is there.

0 Karma

New Member

Poked around a bit at this one for my home Sophos and figured some stuff out for anyone still interested. This app was probably not written for publishing but for someone to use for their own purposes. Seems like they just decided to post it later but as is, this app takes quite a bit of tweaking and still has some gaps. It's a good start though.

Your data input needs to set the source type to 'syslog' -> In the apps props and transforms files you will find that it is looking for 'syslog' and then breaks apart the various log types into UTM:SecureWeb, UTM:SecureNet, UTM:System, UTM:dhcpd, and UTM:SecureMail. Some events will remain syslog, for example the WAF logs. You could update the transforms pretty easy to break them apart using httpd if you wanted. Same with IPSec logs and any others you want.

Another issue is that a good chunk of the dashboards may not work without modifications. Many searches have a srcip=192.168.* hardcoded so if your subnet is anything else, you will get no data. Some searches have typos (missing a space between terms) and others search for srcip="192.168.1.0/24" which is never going to appear in the logs so this search will always return nothing unless corrected.

Another note is that some of the searches filter out certain categories like "ads" or "pornography" so if you want to see those categories in your searches you will need to remove the criteria.

Overall, not a bad starting point and with a little massaging the dashboards will work but definitely not a plug and play app.

0 Karma