I am new to Splunk and I'm trying to configure the Syslog for Sourcefire Defense Center. I am using the latest version of Splunk Light (installed on Windows 7 64 bit) and the latest Defense Center. I have configured the Defense Center to send Syslogs on TCP 514. I have configured the data input as "syslog" and "TCP 514", but I am unable to see the Syslogs on Splunk search.
I ran a wireshark on the Windows 7 on which Splunk is installed, and I confirm that the Syslogs are being captured. I must be missing some configuration on the Splunk. Can you please advise?
Can you confirm with a wide-open all-time search that they're not in there? From that point, you can drill down and find them if they're anywhere... Something like :
Run over all time. Then perhaps start digging into the host fields looking for your defense center IP. The events could be time-stamped incorrectly and coming in in the future or past, or more likely they're just going into an index you aren't searching by default.
Once we get past this and confirm if they are anywhere in Splunk we can likely sort out the rest pretty easily.
Try checking the _internal index for "syslog" and your input "TCP 514", that should be able to tell you if the data it getting stopped before it reaches the splunk process (since you'll find no record of items coming in), or if there are some internal configuration or parsing issues stopping the data from being fully indexed. Also if you know the name of the host and/or IP the syslog is coming from throw those in a query to _internal just incase the first two searches yield nothing.
Okay, so the interal index shows some logs pertaining to the Splunk system, but, it does not show any syslogs from the host.
So, over here, I have uploaded the image of the packet capture here: (18.104.22.168 is the defence center and 22.214.171.124 is the splunk server)
I have shown the query here which I have inputed -> it shows no results
Can you try testing this syslog source using a UDP input on port 514 vs a TCP input? Since you're getting nothing regarding the host in Splunk, it means it's probably not hitting the input queue at all and is getting stopped in the socket layer somewhere.
Also try doing a search in the internal index for "syslog" and "UDP" incase it is using a different hostname for your device (since there are some default syslog transforms) and if there are any errors messages regarding the protocols/inputs themselves.
Also please try using a different port for the TCP syslog apart from 514 (try using one of the unused 4 digit ports and verify it's opened up between both devices fully). I have this odd feeling that TCP 514 is reserved for something, which may be causing issues for the proper handling of this traffic at the OS level.
Check your Windows Firewall 🙂
And why is your Splunk server constantly pinging the Defense Center?