Getting Data In

How to configure a Splunk forwarder for a network switch/router?

lavkush
New Member

Hello Team:

We would like to capture the network traffic data at a network switch/router level and then we want to forward the captured data to Splunk.
If there is any workaround, Please provide the documentation (step by step) for achieving this one.

Thanks for the help in advance.

0 Karma

narean
New Member

I am new to splunk, can some one provide me the steps how to add CISCO L3 switches to Splunk.

I need the steps, please help

0 Karma

nychawk
Communicator

I second the Netflow app from Netflow Logic.
The app and TA are both nicely packaged, easy to use and maintain, and provide great reporting tools.

Best of all, has minimal indexing requirements, which is not typical when considering Netflow and/or packet captures.

esix_splunk
Splunk Employee
Splunk Employee

Check out the Stream App for Splunk : https://splunkbase.splunk.com/app/1809/

You can use this to do exactly what you are describing. The idea here would be that your network team can give you a SPAN/Mirror Port off a switch and you can connect one interface to it. From there you can use Stream to capture network traffic over the wire. Its very simple to pull out SRC and DST IP address along with PORT numbers.

Very simple with Stream!

0 Karma

nychawk
Communicator

I haven't used Stream yet, it's in my bucket list. I can't imagine however that it will not take a huge chunk of my license to provide me with Netflow style data. The Netflow Logic tool provides visibility with only a small chunk of at least my license.

0 Karma

NetFlow_Logic
Contributor

Lavkush, based on your question and the response you may want to look at our App (https://splunkbase.splunk.com/app/489/) and TA (https://splunkbase.splunk.com/app/1838/ ). We are processing and optimizing NetFlow (sFlow, jFlow, IPFIX) for Splunk, which can be collected at each network device. Based on the information you’re seeking, this should satisfy your needs, but take a look and let us know if you have any questions.

0 Karma

dwaddle
SplunkTrust
SplunkTrust

To start with, there is no Splunk Forwarder code for most switches/routers. Taking a Cisco Catalyst switch for example - Cisco IOS is a proprietary operating system that does not allow for the end user to add or remove features from the software image. Even if it did, Splunk would have to write a version of the forwarder specific to IOS and compile it for each different chipset Cisco uses in different models. This is just not going to happen, especially considering that Cisco does not allow 3rd parties to build custom code that runs inside of IOS.

Given your added requirement of "We just need to capture source IP and Target IP and the Port numbers that they are using from the network traffic. " , I would suggest you look at Netflow or the Splunk app for Stream.

ntaylorsplunk
Explorer

That really depends on what type of router/switch you're using and what you're looking for in the traffic. If you just want tcp and udp connection data it would be much different than if you're looking for full packet captures.

0 Karma

lavkush
New Member

Hi ntaylor,
Thanks for the quick response.
We just need to capture source IP and Target IP and the Port numbers that they are using from the network traffic. Please let us know, if any way to do that..

0 Karma

mnatkin_splunk
Splunk Employee
Splunk Employee

You have a few different options. Two of the ones I can think of right off the top of my head include the following possibilities:

1) If the device supports netflow, forward the netflow data to a collector and forward from there. There are a multitude of possible configuration scenarios for this

2) Run a span off the interesting traffic ports and use either Stream to capture or run a forwarder on the listening device

A third (not suggested) method would be to run the device in debug mode and forward the debug data accordingly. I strongly suggest against this, though.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...