Getting Data In

How to configure Splunk to collect data from a Switch information collector (syslog)?

alexisall
Engager

Hello,

I am trying to collect data from a Hirschmann MACH102 switch in Splunk, using UDP port 514.
My computer (host) is 192.160.0.20, Switch IP is 192.160.0.10. I can ping my switch via PC.

Things I have done on splunk :
- New data entry : UDP, port 514, collect via IP
- New sourcetype : each-line event, in Network/Security category
- New index (just new name, I didn't set any parameter)
- On my switch web-interface have set a new syslog field with host IP as 192.160.0.20, port 514, active

And then, when I do a new Splunk search with the pre-done query, I don't have any events collected. I tried to connect/disconnect a PC on the switch (to create events) but nothing appears on splunk.

I have tried to collect data from a local file, it worked but not with a switch/syslog system.

I am new on Splunk, can anyone please help me?
Thank you in advance

0 Karma
1 Solution

hgrow
Communicator

Hi alexisall,

first of I just assume you configure your switch to send syslog to an external source?. No clue about that switch and a quick google didn't help. I just a assume you configured it right.

On the splunk-site:

The steps you have described sounds all good.
You might already read https://docs.splunk.com/Documentation/Splunk/6.5.1/Data/Monitornetworkports .

First off some wise words ... if you plan to collect syslog in a productive environment things might end up complicated so DO NOT send syslog directly to splunk ! If you just try some things out it might be okay.
I could try to explain this in detail but there is a wise guys who did a perfect job explaining why and what to do instead. This is a must read !! : http://www.georgestarcher.com/splunk-success-with-syslog/

Back to your problem:

  1. What machine you running - Lunix or Windows? What user your splunk is running under?
    F.e. on a Linux low-ports (0-1024) are restriced to the root user. If you run Splunk as non-root you wont be able to listen to 514 without some extra work.

  2. Can you confirm the Hirschmann MACH102 is sending syslog propperly to your splunk-server? No firewall or what so ever is blocking UDP 514 even so a ping might get thru.

You can test for arriving syslog on your splunk-server with something like tcpdump UDP port 514. If you get packets arriving from your switch thats good.

In general another thing to test if ports are open may be a telnet IP PORT.
Be aware (!) your Hirschmann MACH102 is sending data to splunk. Testing the connection from your splunk-server is the wrong direction. The Hirschmann MACH102 need to reach your splunk server.

What kind of data you like to see from your switch?

Sincerely
hgrow

View solution in original post

hgrow
Communicator

Hi alexisall,

first of I just assume you configure your switch to send syslog to an external source?. No clue about that switch and a quick google didn't help. I just a assume you configured it right.

On the splunk-site:

The steps you have described sounds all good.
You might already read https://docs.splunk.com/Documentation/Splunk/6.5.1/Data/Monitornetworkports .

First off some wise words ... if you plan to collect syslog in a productive environment things might end up complicated so DO NOT send syslog directly to splunk ! If you just try some things out it might be okay.
I could try to explain this in detail but there is a wise guys who did a perfect job explaining why and what to do instead. This is a must read !! : http://www.georgestarcher.com/splunk-success-with-syslog/

Back to your problem:

  1. What machine you running - Lunix or Windows? What user your splunk is running under?
    F.e. on a Linux low-ports (0-1024) are restriced to the root user. If you run Splunk as non-root you wont be able to listen to 514 without some extra work.

  2. Can you confirm the Hirschmann MACH102 is sending syslog propperly to your splunk-server? No firewall or what so ever is blocking UDP 514 even so a ping might get thru.

You can test for arriving syslog on your splunk-server with something like tcpdump UDP port 514. If you get packets arriving from your switch thats good.

In general another thing to test if ports are open may be a telnet IP PORT.
Be aware (!) your Hirschmann MACH102 is sending data to splunk. Testing the connection from your splunk-server is the wrong direction. The Hirschmann MACH102 need to reach your splunk server.

What kind of data you like to see from your switch?

Sincerely
hgrow

alexisall
Engager

Hello and thank you for your answer and docs !

I am running splunk on a Windows 7 PC, and I don't know how to know if I use it as root or non-root user.. I might say as root because I am the only user on the PC as admin.. but maybe I am wrong

I'm using wireshark to see what is happening while I do things on the switch but with a "udp" filter I see nothing in wireshark.. To use the telnet IP PORT I used Putty but when I configure putty to see telnet it shows " Connection refused "

I'd like to see things like " Link down " or " link up " on the switch, and other common events

Regards

0 Karma

hgrow
Communicator

Hi alexisall,

your windows task-manager is showing you under what user your splunkd-proces is running. If thats 'SYSTEM' thats not a problem for reciving data from 514.

If you dont see any data coming in on your wireshark it may be the root cause, that logs from your server don't even reach your PC, so what is wrong might be the switch-configuration or something on the line is blocking the data your switch is sending to your splunk.

Hard to tell what might be the issue there. First I would check anything that might block the connection for UDP/514 data. Firewall, etc. in your network might block things?

If you "putty" with a "cennection refused" i assume thats from your pc to your switch. thats the wrong direction anyway.

Regards

0 Karma

alexisall
Engager

Hello hgrow,

I have solved some problems, now I can see in WireShark some Udp/syslog data trasmitting between my PC and my Switch when I do things like un-plug Ethernet cables, for example.

The problem is now I am still not able to see those data in Splunk, maybe I have a bad configuration but when I create a new UDP data entry, with port 514 and default index/sources, I start search but splunk does not show any data...

alt text

0 Karma

hgrow
Communicator

Hey,

hmm .... this is more like poking around in the dark... I'm not quite sure if wireshark comes before or after the windows firewall. another point of failure might be the windows firewall. You can try to create a new firewall-rule for incoming UDP/514.

If thats not the trick you can post your inputs.conf with the data-input you've created to check if somethings going wrong there.

Regards.

0 Karma

alexisall
Engager

Ok I don't know why but my windows firewall was enabled .. I disabled it a few days ago but well, it was definitely the problem, thank you... I can see the data in Splunk :

alt text

Is there a board panel look like a Pie Chart which I can filter the data and see how many % of "non-critical errors", % of "critical"... ?

Regards

0 Karma

hgrow
Communicator

Hi there,

good the input is finally working.

First off there are no splunk board panels wich will give you some dashboards about your data. In some cases you might fine something product-specific at https://splunkbase.splunk.com/ to download it as an app but im pretty sure there is nothing for your Hirschmann. But since you have splunk it's easy to build yourself just with splunk spl.

But first things first...maybe you've already noticed but if you take a look at your screenshot in the first event are actually 3 evenets merged together. That's something you dont want!

Since you gave your events a custom sourcetype "hirsch" you will need to put some efforts in to let splunk understand the data correctly.

Maybe you should read:
http://docs.splunk.com/Documentation/Splunk/6.5.1/Data/Whysourcetypesmatter
and
http://docs.splunk.com/Documentation/Splunk/6.5.1/Data/Createsourcetypes

A quicker way might be to change the sourcetype of your input to "syslog" since it's syslog what your switchs sends you. Some things might work out of the box.

A correct "event breaking/line breaking" is what you need to achieve.

From that point on you can start to gather information, extract fields and build some nice dashboards 🙂 Since there are many things on the way - way to mutch to cover all here - i suggest you start with some splunk tutorials like http://docs.splunk.com/Documentation/Splunk/6.5.1/SearchTutorial/WelcometotheSearchTutorial.

Greetings

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...