Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How would I go about getting Cisco FTD into Splunk Cloud?

krunaldave
Explorer
‎03-05-2023 08:10 AM

Hi,

 

How would I go about getting cisco FTD logs into Splunk Cloud? Would I need to install a forwarder on the same network I have the FTD installed and then send those to the Splunk Cloud from the forwarder? If so, can it be a Windows Forwarder?

Labels (1)
Labels
Tags (2)
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎03-05-2023 11:40 AM

Perhaps the easiest way is to install a heavy forwarder (HF) on one of your on-prem servers and use the HF to collect FTD data and forward it to Splunk Cloud.

You also may be able to ingest the data directly into Splunk Cloud, but first you'll need and app that fetches the data from FTD.  The app will need inputs.conf in addition to any props or transforms needed for the data.

If your Splunk Cloud stack uses the Victoria experience, then upload the app to the stack.  Enable the input on one search head and Splunk Cloud should do the rest.

If your Splunk Cloud stack uses the Classic experience then the app will need to be installed on your IDM, which Splunk Cloud Support can do for you.

---
If this reply helps you, Karma would be appreciated.
Reply

krunaldave
Explorer
‎03-05-2023 11:44 AM

@richgalloway thank you for your response. can the heavy forwarder be installed on a windows host or is the heavy forwarder a linux instance? If you have any links to documentation, I will really appreciate it.

0 Karma
Reply

inventsekar
SplunkTrust
SplunkTrust
‎03-05-2023 01:15 PM

can the heavy forwarder be installed on a windows host or is the heavy forwarder a linux instance? If you have any links to documentation, I will really appreciate it.

Yep, heavy forwarder can be installed on a windows host.

(HF is nothing but a full Splunk enterprise installation plus "forwarding" enabled.. thus the Splunk enterprise system will work as a "forwarder"... since its "heavier" when compared to the UF, thus the name "heavy forwarder")

Splunk enterprise installation guide for windows:

https://docs.splunk.com/Documentation/Splunk/9.0.4/Installation/ChoosetheuserSplunkshouldrunas

to setup forwarding(heavy forwarder):

https://docs.splunk.com/Documentation/Splunk/9.0.4/Forwarding/Deployaheavyforwarder

 

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
Reply

krunaldave
Explorer
‎03-05-2023 01:38 PM

Hi, 

Just to summarize:

 

To get Cisco FTD logs into splunk cloud, install a heavy forwarder (could be a windows machine) and have the FTD send logs to it. Then have the heavy forwarder send the logs to splunk cloud. Last question would be how to get the logs into splunk cloud from the heavy forwarder since i only have  a url to log into splunk cloud and not an ip address. do we install credentials package on the HF similar as to what we would do with a UF?

 

Thanks, really appreciate the support.

 

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎03-05-2023 04:32 PM

Yes, install the credentials package just as you do for a UF.  Despite the name, the "Universal Forwarder" app applies to all forwarders.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

inventsekar
SplunkTrust
SplunkTrust
‎03-05-2023 02:02 PM

maybe, show your appreciation by giving us some karma points, thanks. 

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
Reply

richgalloway
SplunkTrust
SplunkTrust
‎03-05-2023 01:15 PM

The forwarder can be on any supported platform.

I have links to lots of documentation.  What specifically are you looking for?

---
If this reply helps you, Karma would be appreciated.
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...