All Apps and Add-ons

Not getting data from DELL SonicWall Analytics App

rodgerkrau
New Member

Dashboard not working. I believe I need to edit the sonicwall_firewalls.csv but not sure of the exact context. This is whats in there now:

host, firewall_name
127.0.0.1, localhost
1.1.1.1, "Sample Host"
"localhost:2055", "IPFix Convert"

Note: I am getting syslog data over UDP port 514 from the same device I'm trying to pull from.

0 Karma
1 Solution

Richfez
SplunkTrust
SplunkTrust

It seems unlikely that would prevent the dashboard from working, but unlikely is not the same as impossible.

You'll probably want to put, as a new line,

1.2.3.4, "My firewall's name"

in there, where 1.2.3.4 is its IP and the rest is a string "name" for it.

If that works, great!

If not, post back. It might help quite a bit if you could edit one of the dashboard panels and find the search string in it and paste that in here. That will tell us a lot about how that app expects to see its data (without making us download the app and examine it ourselves, that is).

BTW, USUALLY these sorts of issues end up being index related. The data is going into a different index than what the dashboards expect, or the permissions are set on the role in such a way that the user logged in doesn't search the particular index needed by default or can't search it at all. Probably the second biggest reason these sorts of issues crop up is the app just fails to tag (generic word, not exactly and precisely the "tag" capability inside Splunk) your events properly (which can often be an input problem like you aren't assigning the right sourcetype on the input or something, but there are other various reasons for this sometimes too).

View solution in original post

Richfez
SplunkTrust
SplunkTrust

It seems unlikely that would prevent the dashboard from working, but unlikely is not the same as impossible.

You'll probably want to put, as a new line,

1.2.3.4, "My firewall's name"

in there, where 1.2.3.4 is its IP and the rest is a string "name" for it.

If that works, great!

If not, post back. It might help quite a bit if you could edit one of the dashboard panels and find the search string in it and paste that in here. That will tell us a lot about how that app expects to see its data (without making us download the app and examine it ourselves, that is).

BTW, USUALLY these sorts of issues end up being index related. The data is going into a different index than what the dashboards expect, or the permissions are set on the role in such a way that the user logged in doesn't search the particular index needed by default or can't search it at all. Probably the second biggest reason these sorts of issues crop up is the app just fails to tag (generic word, not exactly and precisely the "tag" capability inside Splunk) your events properly (which can often be an input problem like you aren't assigning the right sourcetype on the input or something, but there are other various reasons for this sometimes too).

Richfez
SplunkTrust
SplunkTrust

Resolution took a bit of back and forth.

Deeper inspection of the events he had showed only lines like

tid=555 total_data_count=0 total_data_size_kb=0 total_discard_count=0

In his sonicwall index. This is the same sorts of summary events I got when I tested the app (and I have NO sonicwall), so it became clear the data was NOT actually coming in.

We double-checked the setup instructions and those did seem to have been completed properly. Rodgerkrau sniffed some traffic with Wireshark and confirmed that the data wasn't getting there.

It turned out the router vpn from the sonicwall IP had to be reset to 0.0.0.0 and the data started flowing.

All is better now!

seanduchstein
New Member

Could you please explain in greater detail your solution? Are you talking about the setting: "Source IP to Use For Collector On A VPN Tunnel"?

0 Karma

rodgerkrau
New Member

ok, I noticed the index was set for "main" so I changed to sonicwall. index = sonicwall now showing data however dashboards still not populating data.. I can only post on this forum twice a day. Can we troubleshoot via email? and then post solution once resolved?

0 Karma

rodgerkrau
New Member

Here is one of the dashboard search strings: index=sonicwall tid=257 OR tid=357 OR tid=458 | timechart span=1h sum(init_to_resp_octets) as "outbound", sum(resp_to_init_octets) as "inbound" | addtotals

permissions appear to be correct. I am an admin on the system

0 Karma

rodgerkrau
New Member

stopped the splunk service. added a new line (didnt remove any lines) and started splunk service.
Now get an error: received event for unconfigured/disabled/deleted index='sonicwall' with source='source::dell_ipfix://Dell_IPFIX' host='host::localhost:2055' sourcetype='sourcetype::dell_ipfix' (1 missing total)

xxx.xxx.xxx.xxx, "My SonicWall"
host, firewall_name
127.0.0.1, localhost
1.1.1.1, "Sample Host"
"localhost:2055", "IPFix Convert"

0 Karma

Richfez
SplunkTrust
SplunkTrust

You have an index with the name "sonicwall"? Your other comment indicates you've checked that, but that error means .... oh, it probably missed an event while you had services down, that's probably all. So, try this search:

index=sonicwall

What's that give?

Actually, if that returns hits do

index=sonicwall | count by tid

That way we can kill two birds with one stone.

Are you on the IRC or Slack channel? These sorts of interactive back-and-forth troubleshooting is often easier in that forum (then we can come back here and provide the steps and resolution).

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...