- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- How to configure a Splunk forwarder for a network ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to configure a Splunk forwarder for a network switch/router?
Hello Team:
We would like to capture the network traffic data at a network switch/router level and then we want to forward the captured data to Splunk.
If there is any workaround, Please provide the documentation (step by step) for achieving this one.
Thanks for the help in advance.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am new to splunk, can some one provide me the steps how to add CISCO L3 switches to Splunk.
I need the steps, please help
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I second the Netflow app from Netflow Logic.
The app and TA are both nicely packaged, easy to use and maintain, and provide great reporting tools.
Best of all, has minimal indexing requirements, which is not typical when considering Netflow and/or packet captures.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Check out the Stream App for Splunk : https://splunkbase.splunk.com/app/1809/
You can use this to do exactly what you are describing. The idea here would be that your network team can give you a SPAN/Mirror Port off a switch and you can connect one interface to it. From there you can use Stream to capture network traffic over the wire. Its very simple to pull out SRC and DST IP address along with PORT numbers.
Very simple with Stream!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I haven't used Stream yet, it's in my bucket list. I can't imagine however that it will not take a huge chunk of my license to provide me with Netflow style data. The Netflow Logic tool provides visibility with only a small chunk of at least my license.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Lavkush, based on your question and the response you may want to look at our App (https://splunkbase.splunk.com/app/489/) and TA (https://splunkbase.splunk.com/app/1838/ ). We are processing and optimizing NetFlow (sFlow, jFlow, IPFIX) for Splunk, which can be collected at each network device. Based on the information you’re seeking, this should satisfy your needs, but take a look and let us know if you have any questions.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
To start with, there is no Splunk Forwarder code for most switches/routers. Taking a Cisco Catalyst switch for example - Cisco IOS is a proprietary operating system that does not allow for the end user to add or remove features from the software image. Even if it did, Splunk would have to write a version of the forwarder specific to IOS and compile it for each different chipset Cisco uses in different models. This is just not going to happen, especially considering that Cisco does not allow 3rd parties to build custom code that runs inside of IOS.
Given your added requirement of "We just need to capture source IP and Target IP and the Port numbers that they are using from the network traffic. " , I would suggest you look at Netflow or the Splunk app for Stream.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That really depends on what type of router/switch you're using and what you're looking for in the traffic. If you just want tcp and udp connection data it would be much different than if you're looking for full packet captures.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi ntaylor,
Thanks for the quick response.
We just need to capture source IP and Target IP and the Port numbers that they are using from the network traffic. Please let us know, if any way to do that..
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You have a few different options. Two of the ones I can think of right off the top of my head include the following possibilities:
1) If the device supports netflow, forward the netflow data to a collector and forward from there. There are a multitude of possible configuration scenarios for this
2) Run a span off the interesting traffic ports and use either Stream to capture or run a forwarder on the listening device
A third (not suggested) method would be to run the device in debug mode and forward the debug data accordingly. I strongly suggest against this, though.
Enterprise Security Content Update (ESCU) | New Releases
Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?
Index This | What are the 12 Days of Splunk-mas?
