Hi
1st you have to Add Syslog server. Which forwarded to Cyberom log to the splunk server. This is Cyberom side configuration. Check below link for more info.
https://kb.cyberoam.com/default.asp?id=396
2nd Splunk side configuration. You have to do configuration to get data from TCP and UDP ports.
Check below link for more info.
https://docs.splunk.com/Documentation/SplunkCloud/6.6.3/Data/Monitornetworkports
3rd for field extraction download Cyberoam TA from Splunkbase and install into Splunk instance.
TA URL:
https://splunkbase.splunk.com/app/3126/
I hope this information will help you.
Thanks
Splunk's best practice is to write the networking device's logs to a intermediary syslog server (this is to ensure continuous availability of network devices logs irrespective of availability of splunk servers) , you may use syslog-ng or rsyslog - so have a syslog server
configure the cyberoam device to start sending the logs to syslog server's IP address
check if the logs are being written to syslog or not
if the logs are coming, then install the splunk universal forwarder on that syslog server which shall monitor these logs/directory and send them to your indexer IP on port 9997 with sourcetype: cyberoam & Index : *custom*
Monitor files and directories with inputs.conf (https://docs.splunk.com/Documentation/SplunkCloud/6.6.3/Data/Monitorfilesanddirectorieswithinputs.co...)
Install Cyberoam addon on your splunk instances for automatic field extractions
search for index=* sourcetype=cyberoam
=====
Another direct approach can be -
a. configure the device to send logs directly to your indexer IP address on UDP 514
b. have the addon installed on your instances of splunk
c. open the port UDP:514 on splunk and on your splunk server's OS firewall
Input Type : UDP Port
Port Number : 514
Source name override : N/A
Restrict to Host : give IP of your device (1.2.3.4)
Source Type: cyberoam
App Context : search
Host : (IP address of the remote server)
Index : create new > cyberoam
d. ensure that there is no other device which might be blocking this data movement
e. search for index=* sourcetype=cyberoam
Hi
1st you have to Add Syslog server. Which forwarded to Cyberom log to the splunk server. This is Cyberom side configuration. Check below link for more info.
https://kb.cyberoam.com/default.asp?id=396
2nd Splunk side configuration. You have to do configuration to get data from TCP and UDP ports.
Check below link for more info.
https://docs.splunk.com/Documentation/SplunkCloud/6.6.3/Data/Monitornetworkports
3rd for field extraction download Cyberoam TA from Splunkbase and install into Splunk instance.
TA URL:
https://splunkbase.splunk.com/app/3126/
I hope this information will help you.
Thanks
Hi @V4M51,
Have you tried?
Thanks
@V4M51 If this answer helped you resolve your problem, please click the Accept button. If you need additional help, please ask!
@kamlesh_vaghela, I've converted this to an answer because I think it deserves to be one.
Happy Splunking,
-Rich
i followed these steps and after this , goto search & reporting in splunk , clicked on data summary ,but its only showing waiting for result, what is the problem ?, please help me
in which index/sourcetype your data is coming?
Cyberoam TA using cyberoam
sourcetype.
Can you please check any data coming to splunk?
no data is coming from cyberoam to splunk
if no, check if the syslog configuration is correct / if there is any other device which might be blocking the incoming data to syslog.
if data is coming to syslog but not monitored by splunk then apparently your inputs stanza has area of improvement or local machine's OS firewall (where splunk is installed) that port is closed.
Thanks. - Saurabh
Hi
Can you please share implementation steps you did? like, how you forward cyberoam data to splunk,.. etc,.
in cyberoam ,
logs& reports-conf-syslog ser-add-
name-
ip/domain:- ip of pc(splunk installed pc)
port:-tcp 1024
and i also check port in my windows system but its only
showing "listening"