Re: Query to monitor web traffic

waJesu · ‎07-06-2022

I need help coming up with a query that can help create an IDPS/Internet Content Filtering dashboard in Splunk to continuously monitor the web traffic or pull reports when asked.

gcusello · ‎07-06-2022

Hi @waJesu,

your question is just a little bit vague: because at least you should share the technologies you're using.

Anyway, my hint is to search in Splunkbase (apps.splunk.com) if there's an app for your technology that can guide you in data ingestion and presentation.

Ciao.

Giuseppe

waJesu · ‎07-06-2022

We are using sourcefire as IDPS if that helps clarify

gcusello · ‎07-06-2022

Hi @waJesu,

sourcefire is unknown in apps.splunk.com, maybe you are speking of CISCO FireSIGHT.

In this case see the Add-on to take logs (https://splunkbase.splunk.com/app/1808/) that's a part of CISCO eStreamer.

About the App, these logs are usually used in the Splunk Enterprise Security, you could also see in the CISCO Suite for Splunk (https://splunkbase.splunk.com/app/5743/).

This is the best approach because otherwise, you should start to:

analyze the way to send data (syslog, Forwarders, or else),
take the data,
parse the data,
analyze data content,
extract all fields,
create your own dashboards.

For this reason I hinted to search for an App, usually from the Vendor (e.g. CISCO).

Ciao.

Giuseppe

waJesu · ‎07-08-2022

Thank you. This should help.

gcusello · ‎07-08-2022

Hi @waJesu,

good for you, see next time!

If this answer solves your need, please, accept one answer for the other people of Community or tell me how I can help you more.

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉

Help with Query to monitor web traffic

other

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms