Getting Data In

How to get Cyberoam logs in splunk.?

V4M51
Engager

please help me in detail step-by step i have no idea on Cyberoam.

Tags (1)
0 Karma
1 Solution

kamlesh_vaghela
SplunkTrust
SplunkTrust

Hi

1st you have to Add Syslog server. Which forwarded to Cyberom log to the splunk server. This is Cyberom side configuration. Check below link for more info.

https://kb.cyberoam.com/default.asp?id=396

2nd Splunk side configuration. You have to do configuration to get data from TCP and UDP ports.
Check below link for more info.

https://docs.splunk.com/Documentation/SplunkCloud/6.6.3/Data/Monitornetworkports

3rd for field extraction download Cyberoam TA from Splunkbase and install into Splunk instance.

TA URL:

https://splunkbase.splunk.com/app/3126/

I hope this information will help you.

Thanks

View solution in original post

0 Karma

saurabh_tek11
Communicator
  1. Splunk's best practice is to write the networking device's logs to a intermediary syslog server (this is to ensure continuous availability of network devices logs irrespective of availability of splunk servers) , you may use syslog-ng or rsyslog - so have a syslog server

  2. configure the cyberoam device to start sending the logs to syslog server's IP address

  3. check if the logs are being written to syslog or not

  4. if the logs are coming, then install the splunk universal forwarder on that syslog server which shall monitor these logs/directory and send them to your indexer IP on port 9997 with sourcetype: cyberoam & Index : *custom*
    Monitor files and directories with inputs.conf (https://docs.splunk.com/Documentation/SplunkCloud/6.6.3/Data/Monitorfilesanddirectorieswithinputs.co...)

  5. Install Cyberoam addon on your splunk instances for automatic field extractions

  6. search for index=* sourcetype=cyberoam

=====
Another direct approach can be -
a. configure the device to send logs directly to your indexer IP address on UDP 514
b. have the addon installed on your instances of splunk
c. open the port UDP:514 on splunk and on your splunk server's OS firewall

Input Type : UDP Port
Port Number : 514
Source name override : N/A
Restrict to Host : give IP of your device (1.2.3.4)
Source Type: cyberoam
App Context : search
Host : (IP address of the remote server)
Index : create new > cyberoam

d. ensure that there is no other device which might be blocking this data movement

e. search for index=* sourcetype=cyberoam

0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

Hi

1st you have to Add Syslog server. Which forwarded to Cyberom log to the splunk server. This is Cyberom side configuration. Check below link for more info.

https://kb.cyberoam.com/default.asp?id=396

2nd Splunk side configuration. You have to do configuration to get data from TCP and UDP ports.
Check below link for more info.

https://docs.splunk.com/Documentation/SplunkCloud/6.6.3/Data/Monitornetworkports

3rd for field extraction download Cyberoam TA from Splunkbase and install into Splunk instance.

TA URL:

https://splunkbase.splunk.com/app/3126/

I hope this information will help you.

Thanks

0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

Hi @V4M51,

Have you tried?

Thanks

0 Karma

Richfez
SplunkTrust
SplunkTrust

@V4M51 If this answer helped you resolve your problem, please click the Accept button. If you need additional help, please ask!

@kamlesh_vaghela, I've converted this to an answer because I think it deserves to be one.

Happy Splunking,
-Rich

0 Karma

haseenhussain
New Member

i followed these steps and after this , goto search & reporting in splunk , clicked on data summary ,but its only showing waiting for result, what is the problem ?, please help me

0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

in which index/sourcetype your data is coming?
Cyberoam TA using cyberoam sourcetype.

Can you please check any data coming to splunk?

0 Karma

haseenhussain
New Member

no data is coming from cyberoam to splunk

0 Karma

saurabh_tek11
Communicator
  1. Is that data reaching to syslog server ?
  2. If yes, share your inputs.conf stanza where you are monitoring these logs
  3. if no, check if the syslog configuration is correct / if there is any other device which might be blocking the incoming data to syslog.

  4. if data is coming to syslog but not monitored by splunk then apparently your inputs stanza has area of improvement or local machine's OS firewall (where splunk is installed) that port is closed.

Thanks. - Saurabh

0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

Hi
Can you please share implementation steps you did? like, how you forward cyberoam data to splunk,.. etc,.

0 Karma

haseenhussain
New Member

in cyberoam ,
logs& reports-conf-syslog ser-add-
name-
ip/domain:- ip of pc(splunk installed pc)
port:-tcp 1024

0 Karma

haseenhussain
New Member

and i also check port in my windows system but its only
showing "listening"

0 Karma
Get Updates on the Splunk Community!

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

🍂 Fall into November with a fresh lineup of Community Office Hours, Tech Talks, and Webinars we’ve ...

Transform your security operations with Splunk Enterprise Security

Hi Splunk Community, Splunk Platform has set a great foundation for your security operations. With the ...

Splunk Admins and App Developers | Earn a $35 gift card!

Splunk, in collaboration with ESG (Enterprise Strategy Group) by TechTarget, is excited to announce a ...