Hi Guys,
I've been trying to send Cisco ASA firewall logs to syslog-ng server where the forwarder is installed but I just can't get it working.
I've setup a forwarder and installed syslog-ng in Ubuntu VM.
I have tried to follow the instructions on this link and also from other various sources but I'm stressful enough to say that I just can't get it working.
https://www.splunk.com/blog/2016/03/11/using-syslog-ng-with-splunk/
I really need some clear detailed step by step instructions on how to configure Cisco ASA to store syslogs into the syslog-ng server and forward the data to indexer.
I'm not sure if I configured syslog-ng server properly in Ubuntu. I used following tutorial but no success.
https://www.youtube.com/watch?v=glvsJJFbzZc&feature=em-share_video_user
Could you check if everything looks ok below and advise the next step from here?
My goal is to send Cisco ASA Firewall logs to syslog-ng server and push it out to the indexer with universal forwarder so that I'm able to see all the cisco asa logs from the search.
My setup is as below: All servers have been built with Ubuntu in VM.
Indexer: 10.10.50.11
Forwarder: 10.10.50.12 (Installed syslog-ng here)
I can ping and SSH between Indexer and forwarder.
Configured universal forwarder to send data to the receiving indexer.
root@forwarder:/opt/splunkforwarder/bin# ./splunk add forward-server 10.10.50.11:9997 -auth admin:seeshock
root@forwarder:/opt/splunkforwarder/bin# ./splunk list forward-server
Active forwards:
None
Configured but inactive forwards:
10.10.50.11:9997
Configure deployment client
root@forwarder:/opt/splunkforwarder/bin# ./splunk show deploy-poll
Deployment Server URI is set to "10.10.50.12:8089".
root@indexer:/opt/splunk/bin# ./splunk status
splunkd is running (PID: 3109).
splunk helpers are running (PIDs: 3110 3118 3183 3200).
root@indexer:/opt/splunk/bin# ./splunk btool inputs list splunktcp --debug | grep -v default
/opt/splunk/etc/system/local/inputs.conf host = indexer
/opt/splunk/etc/apps/launcher/local/inputs.conf [splunktcp://9997]
/opt/splunk/etc/apps/launcher/local/inputs.conf connection_host = ip
/opt/splunk/etc/system/local/inputs.conf host = indexer
root@indexer:/opt/splunk/bin# ./splunk list inputstatus
tcp_cooked:listenerports :
9997
index=internal host="indexer"
Time Event
4/2/17 10.10.50.11 - admin [02/Apr/2017:20:47:25.825 +1000] "GET /en-US/splunkd/raw/services/search/shelper?output_mode=json&snippet=true&snippetEmbedJS=false&namespace=search&search=search+index%3D_internal+host%3D&useTypeahead=true&useAssistant=false&showCommandHelp=true&showCommandHistory=true&showFieldInfo=false&=1491126297345 HTTP/1.1" 200 5141 "http://10.10.50.11:8000/en-US/app/search/search?q=search%20index%3D_internal%20host%3Dforwarder&disp..." "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:51.0) Gecko/20100101 Firefox/51.0" - b44fb5fd27b3677a2443d6de473370fe 8ms
8:47:25.825 PM · host = indexer
· source = /opt/splunk/var/log/splunk/splunkd_ui_access.log
· sourcetype = splunkd_ui_access
4/2/17 10.10.50.11 - admin [02/Apr/2017:20:47:25.681 +1000] "GET /en-US/splunkd/_raw/services/search/shelper?output_mode=json&snippet=true&snippetEmbedJS=false&namespace=search&search=search+index%3D_internal+host%3Df&useTypeahead=true&useAssistant=false&showCommandHelp=true&showCommandHistory=true&showFieldInfo=false&=1491126297344 HTTP/1.1" 200 5109 "http://10.10.50.11:8000/en-US/app/search/search?q=search%20index%3D_internal%20host%3Dforwarder&disp..." "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:51.0) Gecko/20100101 Firefox/51.0" - b44fb5fd27b3677a2443d6de473370fe 40ms
8:47:25.681 PM · host = indexer
· source = /opt/splunk/var/log/splunk/splunkd_ui_access.log
· sourcetype = splunkd_ui_access
index=_internal host="forwarder"
4/3/17 04-03-2017 14:15:24.393 +1000 INFO DC:PhonehomeThread - Attempted handshake 260 times. Will try to re-subscribe to handshake reply
2:15:24.393 PM · host = forwarder
· source = /opt/splunkforwarder/var/log/splunk/splunkd.log
· sourcetype = splunkd
4/3/17 04-03-2017 14:15:24.393 +1000 INFO DC:DeploymentClient - channel=tenantService/handshake Will retry sending handshake message to DS; err=not_connected
2:15:24.393 PM · host = forwarder
· source = /opt/splunkforwarder/var/log/splunk/splunkd.log
· sourcetype = splunkd
4/3/17 04-03-2017 14:15:16.083 +1000 INFO Metrics - group=thruput, name=uncooked_output, instantaneous_kbps=0.000000, instantaneous_eps=0.000000, average_kbps=0.000000, total_k_processed=0.000000, kb=0.000000, ev=0.000000
2:15:16.083 PM · host = forwarder
· source = /opt/splunkforwarder/var/log/splunk/metrics.log
· sourcetype = splunkd
root@indexer:/etc/syslog-ng# netstat -an | grep 9997
tcp 0 0 0.0.0.0:9997 0.0.0.0:* LISTEN
tcp 0 0 10.10.50.11:9997 10.10.50.12:53380 ESTABLISHED
root@indexer:/opt/splunk/etc/system/local# mkdir firewall_asa
root@indexer:/opt/splunk/etc/system/local# cd firewall_asa
root@indexer:/opt/splunk/etc/system/local/firewall_asa# cd
root@indexer:~# cd /opt/splunk/bin
root@indexer:/opt/splunk/bin# ./splunk add udp 514 -sourcetype cisco:asa
Listening for UDP input on port 514.
root@forwarder:/opt/splunkforwarder/bin# ./splunk show deploy-poll
Deployment Server URI is set to "10.10.50.12:8089".
root@forwarder:/opt/splunkforwarder/bin# ./splunk list forward-server
Active forwards:
10.10.50.11:9997
Configured but inactive forwards:
None
root@forwarder:/opt/splunkforwarder/bin# ./splunk show servername
Server name: forwarder
root@forwarder:/opt/splunkforwarder/bin# ./splunk show default-hostname
Default hostname for data inputs: forwarder.
root@forwarder:/opt/splunkforwarder/bin# ./splunk show servername
Server name: forwarder
root@forwarder:/opt/splunkforwarder/bin# ./splunk show default-hostname
Default hostname for data inputs: forwarder.
root@forwarder:/opt/splunkforwarder/bin# ./splunk add forward-server 10.10.50.11:9997 -auth admin:seeshock
Added forwarding to: 10.10.50.11:9997.
root@forwarder:/opt/splunkforwarder/bin# ./splunk list forward-server
Active forwards:
None
Configured but inactive forwards:
10.10.50.11:9997
Hi there,
Am I wrong or you just create the UDP input on your indexer rather than the Forwarder ?
"root@indexer:/opt/splunk/bin# ./splunk add udp 514 -sourcetype cisco:asa
Listening for UDP input on port 514."
This are the basic steps to do what you need, assuming that you have firewall rules/port opened already.
Enable listen on port 9997 on the Indexer to recieve incoming data from the UF.
./splunk enable listen 9997 -auth username:password
Configure your forwarder to send data to the indexer.
./splunk add forward-server <IP OR DNS>:9997
Create the UDP input on your UF to listen that syslog.
./splunk add udp 514 -sourcetype cisco:asa
Hope it helps.
Is this still an issue?
Yep, I'm just back on it now. Additionally, pls see my response to alemarzu below. I've mistakenly configured UDP 514 on the indexer rather than the forwarder earlier which could have been causing some problems but it has been fixed now as I reconfigured it on the forwarder and removed it from the indexer.
One solution to this would be to on the syslog-ng server utilize buckets.d and patterdb.d in order to write the cisco ASA logs to a directory and then from there, you can use a UF to monitor that directory and forward directly to the indexers.
I'm too noob to undestand that but please see my further outputs below in response to nychawk.
What do you think?