Getting Data In

How to Onboard a device in Splunk?

debjit_k
Path Finder

Hi All, 

 

I wanted to onboard new device in Spunk which is sangfor firewall my question is how can I onboard it so that it also became a CIM compliant

 

My basic understand is 

 

Team will configure syslog to sent logs to our syslog 

From syslog -> UF -> IDX -> SH 

 

I believe in idx I need to define the input.conf file for new FW now my question is does sangfor has any add-on (like paloalto which curve the data itself in proper name tag everything) if it has Can anyone please help me with the link and where I need to install this addon in search head or idx or UF to make my data CIM compliant.

 

Thanks

Tags (2)
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @debjit_k,

the sangfor firewall hasn't an Add-On on Splunkbase, so you need to create a CIM 4.X compliant new one.

There are two different approaches to Add-Ons:

  • create different add-ons for the roles: one for the input and one for parsing,
  • use the same Add-On for all roles,

I usually prefer the second one.

In the Add-On you have to put:

  • the inputs.conf file to ingest the files that, I suppose, you receive using an rsyslog or syslog-ng server,
  • the props.conf file to contain all the parsing options (props.conf, transforms.conf)
  • all the CIM compliance transformations (eventtypes.conf, tags.conf, props.conf, transofrma.conf and eventually lookups.

To create a CIM 4.x compliant Add-On you can use the Add-On Builder App (https://splunkbase.splunk.com/app/2962) or using an App like SA-cim_vladiator (https://splunkbase.splunk.com/app/2968) to identify the transformation requested.

You could use the second one for Add-On definitions and the first one for CIM 4.x compliance checks.

In few words you have:

  • to extract all the fields required (here you can find the required and the optional fields for each DataModel https://docs.splunk.com/Documentation/CIM/5.1.1/User/Howtousethesereferencetables ),
  • to normalize field names creating aliases for your field names,
  • to normalize some field values (e.g. for the action field you must use the following values: success, failure, pending, error,
  • eventually add lookups.

Ciao.

Giuseppe

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...