Deployment Architecture
Highlighted

Configuring Splunk for remote wireless monitoring

Engager

Hi Team,

I'm trying to configure splunk to monitor remote wireless logs. I'm getting wifi a router logs in remote machine, I have to configure it to splunk in my system. Here are my questions,

  1. How can I configure a remote log to splunk ?
  2. How to set particular log to an particular app ?
  3. What are the useful apps available for Wi-Fi log monitoring ?

Note: I'm using windows machine.

Thanks in advance.

0 Karma
Highlighted

Re: Configuring Splunk for remote wireless monitoring

Splunk Employee
Splunk Employee

First assumption, when you say you are getting wifi router logs on a remote machine I assume you mean you are sending the wireless logs to a syslog collector? That would be a good thing because then you can use forwarders to monitor files.

How can I configure a remote log to splunk ?
If my assumption is correct, you should use a universal forwarder on the remote machine to send the logs to the splunk indexer. This link will describe more about forwarding:
http://docs.splunk.com/Documentation/Splunk/6.0/Data/Usingforwardingagents

How to set particular log to an particular app ?
Most apps will describe what index and sourcetype your data should come in as to make setup as easy as possible. You should download the app and follow any instructions on the app page or in a readme supplied by the developer.

For example, say you were wanting to use the Cisco app with a Cisco ASA device. You would want the data to go to "index=firewall sourcetype=cisco_asa" in order to have the searches and dashboards work out of the box.

What are the useful apps available for Wi-Fi log monitoring ?
Your best bet here would be to go to splunk-base and search for you wireless device vendor. If it is not there, ask for the specific device on answers and sometimes someone can share some things to get you started quickly.

Finally, I want to let you know that you do not necessarily have to use apps in order to get value out of Splunk. Apps are just templates with some predefined searches and dashboards to get you started quickly. They help but are not always necessary.

Splunk out of the box will provide you with full text search across the events and adding fields at search time is trivial using the field extractor or even manually writing them if you are comfortable with regex. Then all you need is some imagination to see what type of questions you want to ask of the data.

Have fun and please ask questions if you get stuck!