Getting Data In

No data can be seen from Forcepoint Firewall in Splunk Enterprise

lzahariev
Explorer

Hi all,

We've configured a Forcepoint Next Generation Firewall (NGFW) to send data through it's Security Management Center (SMC) after following this article: https://forcepoint.github.io/docs/ngfw_and_splunk/, however no data is displayed in the Splunk Enterprise (Standalone) Web UI > Apps > Forcepoint. From a 'tcpdump' on the Splunk Ent. device (hosted on Linux CentOS 7), we can see incoming traffic on configured incoming TCP-19997 port.

Could anyone advise please?

Kind regards,
Lubo

Splunk_Ent_webui_screenshot_Forcepoint.PNG

Labels (1)
0 Karma
1 Solution

lzahariev
Explorer

Hi!

Just for the record, we've made progress, whereby we've changed the value of 'LINE_BREAKER = ' from the default '([\r\n]+)' to '<record>' in the $SPLUNK_HOME/etc/system/local/props.conf file, because the indexer could not seem to parse the incoming .xml data, as configured in that format on the Forecepoint SMC. 

The above was determined from this article:
https://community.splunk.com/t5/Dashboards-Visualizations/How-to-do-event-break-for-XML-file-like-th...

Now we can see event data in the Splunk Ent. Web UI > Apps > Forcepoint, which we couldn't before, but in the Search & Reporting app the event data still cannot seem to be broken into columns if changed to Table view - not sure if that's how data is supposed to be displayed in the first place...

Thanks for your input PickleRick! Much appreciated!

Regards,
Lubo

View solution in original post

0 Karma

lzahariev
Explorer

Hi, thanks for your reply!

We've had successful three way TCP handshakes between our Forcepoint SMC and Splunk Enterprise (standalone) deployment, however no data that could be seen, as per this screenshot from the deployment guide: https://forcepoint.github.io/docs/ngfw_and_splunk/media/image9.png

I'm not sure what you meant by "written to the proper index", I'm new to Splunk, however my guess would be that - yes, there is data written to the correct Index, as seen from the Splunk web UI > Settings > Data > Indexes > (name) forcepoint, (app) forcepoint-solutions, (event count) 41.9M, (home path) $SPLUNK_DB/forcepoint/db. We've also created a custom sourcetype - key-value pairs, as per the deployment guide do, mentioned above.

"Does this app require any additional configuration to find the events?"
 - Not sure, that's why I was hoping if someone with experience with this type of setup could advise, please.

0 Karma

PickleRick
SplunkTrust
SplunkTrust

Ahh, it seems you're not using the Splunk-provided Add-On which parses the syslog data, but some Forcepoint-supplied solution with a complete docker image containing universal forwarder. Well, that's an ugly solution if you ask me, because you don't know much what's going on inside that docker image.

Your index indeed seems to be populated with events. Check them out with searching simply for

index=forcepoint

Unfortunately, there' s not much information about this solution on the Github documentation page so it's best to start with https://forcepoint.github.io/docs/ngfw_and_splunk/#check-all-components-are-configured-and-running-p...

0 Karma

lzahariev
Explorer

A-ha! OK that's better! So I've searched for 'index="forcepoint"' in the Search & Reporting App and can see data, but it seems bogus, as host=IP.addr.of.SMC, source=tcp:19997, sourcetype=key-value pairs, and that is if I have the Table view selected. If I have the List view selected, I can see more relevant data related what we need...

I have a feeling that we haven't configured Splunk Ent. to break the event data accordingly. The data seems to arrive in a .xml format, as configured on the SMC server: 
SYSLOG_CONF_FILE=<smc_install_dir>/data/fields/syslog_templates/fp-smc-log-fields-v1.xml

I have also changed the sourcetype from 'key-value pairs' to 'syslog', so we'll just have to test and advise back. Alternatively if that doesn't work, I'll try the 'next-generation-firewall' in the sourcetype and give it a second try.

Will let you know, thanks for now!

If you have any other thoughts to share in the meanwhile, please let us know, it would be very much appreciated!

0 Karma

PickleRick
SplunkTrust
SplunkTrust

Well, configuration on splunk side should not normally be needed since here https://forcepoint.github.io/docs/ngfw_and_splunk/#setup-forcepoint-app-inside-splunk you're coppying an app into splunk's configuration directory so it should contain all appropriate parsing rules. And the UF included in the docker image should set a proper sourcetype/index on forwarded data.

0 Karma

lzahariev
Explorer

Hi!

Just for the record, we've made progress, whereby we've changed the value of 'LINE_BREAKER = ' from the default '([\r\n]+)' to '<record>' in the $SPLUNK_HOME/etc/system/local/props.conf file, because the indexer could not seem to parse the incoming .xml data, as configured in that format on the Forecepoint SMC. 

The above was determined from this article:
https://community.splunk.com/t5/Dashboards-Visualizations/How-to-do-event-break-for-XML-file-like-th...

Now we can see event data in the Splunk Ent. Web UI > Apps > Forcepoint, which we couldn't before, but in the Search & Reporting app the event data still cannot seem to be broken into columns if changed to Table view - not sure if that's how data is supposed to be displayed in the first place...

Thanks for your input PickleRick! Much appreciated!

Regards,
Lubo

0 Karma

PickleRick
SplunkTrust
SplunkTrust

By "incoming traffic" you mean just SYN packets or full bidirectional flow? Do you see data within this stream? If so, then splunk is receiving the events, you just have to find them.

Are they written to the proper index?

Does this app require any additional configuration to find the events? (might need some macro update or something like that).

0 Karma
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...