Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Best 'monitor' setup for firewall logs

SplunkUser5888
Path Finder
‎10-05-2012 01:54 AM

Hey guys, Noob here;

I wanted to know what you thought would be the best setup to use the monitor function in inputs.conf to monitor firewall logs.
I've read the inputs.conf.specs file and there are a lot of attributes, but I'm not sure which should be used and with which regex.

I'm not looking for a specific answer just what you lot think is the best setup for monitoring a firewall log.

Thanks

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Drainy
Champion
‎10-05-2012 02:02 AM

Well with that sort of question you won't get a very specific answer 🙂

It depends entirely on how you're outputting the logs from your firewall, just as a general rule based on most firewalls you would output it as syslog over UDP to a local syslogd. This would write the log to disc and Splunk would be configured with a monitor stanza to index the contents.

Additional options are only needed if you have a specific index you want it to hit. By default just adding the stanza and a sourcetype would probably handle most of what you want to do.
Another consideration is looking at any Apps which may exist for your firewall on Splunkbase already, if so download it and figure out what sourcetype it expects, you can then configure this within the inputs.conf so everything works straight out of the box. Most apps of this kind come with pre-defined extractions so you only need to handle the input and sourcetyping.

If there isn't an app available you will need to build your own extractions in props and transforms which is something you can come back here for additional help with.

Also worth considering the timezone offsets, line breaking etc that is all configured within props. If you hit any more specific problems then feel free to come back with another question 🙂

Inputs.conf Documentation

Props.conf Documentation

View solution in original post

Reply
Solved! Jump to solution
Solution

Drainy
Champion
‎10-05-2012 02:02 AM

Well with that sort of question you won't get a very specific answer 🙂

It depends entirely on how you're outputting the logs from your firewall, just as a general rule based on most firewalls you would output it as syslog over UDP to a local syslogd. This would write the log to disc and Splunk would be configured with a monitor stanza to index the contents.

Additional options are only needed if you have a specific index you want it to hit. By default just adding the stanza and a sourcetype would probably handle most of what you want to do.
Another consideration is looking at any Apps which may exist for your firewall on Splunkbase already, if so download it and figure out what sourcetype it expects, you can then configure this within the inputs.conf so everything works straight out of the box. Most apps of this kind come with pre-defined extractions so you only need to handle the input and sourcetyping.

If there isn't an app available you will need to build your own extractions in props and transforms which is something you can come back here for additional help with.

Also worth considering the timezone offsets, line breaking etc that is all configured within props. If you hit any more specific problems then feel free to come back with another question 🙂

Inputs.conf Documentation

Props.conf Documentation

Reply
Solved! Jump to solution

SplunkUser5888
Path Finder
‎10-08-2012 02:18 AM

Hey, I left the question to see if there would be any other opinions and ideas, but there is nothing else. I thought, as you have helped, that I would make your answer the right one.

Thanks

0 Karma
Reply
Solved! Jump to solution

SplunkUser5888
Path Finder
‎10-05-2012 02:13 AM

Thank you that was very helpful, I don't know anything about the firewall (intern... not check the firewall). But you've brought up some interesting stuff, I'll leave it unanswered to see if anyone else has something to share but thanks again.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...