Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to Onboard a device in Splunk?

debjit_k
Path Finder
‎08-21-2023 07:44 PM

Hi All, 

 

I wanted to onboard new device in Spunk which is sangfor firewall my question is how can I onboard it so that it also became a CIM compliant

 

My basic understand is 

 

Team will configure syslog to sent logs to our syslog 

From syslog -> UF -> IDX -> SH 

 

I believe in idx I need to define the input.conf file for new FW now my question is does sangfor has any add-on (like paloalto which curve the data itself in proper name tag everything) if it has Can anyone please help me with the link and where I need to install this addon in search head or idx or UF to make my data CIM compliant.

 

Thanks

Tags (2)
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎08-21-2023 11:48 PM

Hi @debjit_k,

the sangfor firewall hasn't an Add-On on Splunkbase, so you need to create a CIM 4.X compliant new one.

There are two different approaches to Add-Ons:

  • create different add-ons for the roles: one for the input and one for parsing,
  • use the same Add-On for all roles,

I usually prefer the second one.

In the Add-On you have to put:

  • the inputs.conf file to ingest the files that, I suppose, you receive using an rsyslog or syslog-ng server,
  • the props.conf file to contain all the parsing options (props.conf, transforms.conf)
  • all the CIM compliance transformations (eventtypes.conf, tags.conf, props.conf, transofrma.conf and eventually lookups.

To create a CIM 4.x compliant Add-On you can use the Add-On Builder App (https://splunkbase.splunk.com/app/2962) or using an App like SA-cim_vladiator (https://splunkbase.splunk.com/app/2968) to identify the transformation requested.

You could use the second one for Add-On definitions and the first one for CIM 4.x compliance checks.

In few words you have:

  • to extract all the fields required (here you can find the required and the optional fields for each DataModel https://docs.splunk.com/Documentation/CIM/5.1.1/User/Howtousethesereferencetables ),
  • to normalize field names creating aliases for your field names,
  • to normalize some field values (e.g. for the action field you must use the following values: success, failure, pending, error,
  • eventually add lookups.

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Dashboards: Hiding charts while search is being executed and other uses for tokens

There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...

Brains, Bytes, and Boston: Learn from the Best at .conf25

When you think of Boston, you might picture colonial charm, world-class universities, or even the crack of a ...
Top