Getting Data In

SonicWall Viewpoint 6.0: export logs to Splunk via syslog (UDP port 514)?

woodcock
Esteemed Legend

I have configured this Windows Server 2008 software as indicated on this website:

https://www.fuzeqna.com/sonicwallkb/consumer/kbdetail.asp?kbid=7462

In case that link doesn't show, I did the following:

  • http://127.0.0.1/appliance/login
  • Select "Deployment", then "Roles", then "Single Server Configuration".
  • Click "Viewpoint" radio button.
  • Enter "514" in the "Single Server Port" textbox.
  • Enter "Database User" and "Database Password" (and "Confirm Database Password") fields.
  • Click "Update" button and wait a long time.

I am intending that this will export data through localhost (127.0.0.1) port 514 but I am confused by the whole "DB user" stuff which makes it look like perhaps this configuration is setting up an INPUT as opposed to an OUTPUT.

In any case, I setup a Splunk input listener on the viewpoint server machine with this inputs.conf configuration:

[udp://514]
sourcetype=sonicwall

I also tried "udp://localhost:514" and "udp://127.0.0.1:514".

I made sure to enable ports with these lines in default-mode.conf:

[pipeline:udp]
disabled=false

But I am not getting anything coming in to Splunk.
I have cygwin installed and when I am doing TCP ports, I can test with something like this:

echo "Splunk TCP:514 test" | nc localhost 514

If I keep everything the same but change all "tcp" strings to "udp" then this test works (I get a "Splunk TCP:514 test" event). However, if I use the UDP variant of this, it just hangs forever:

echo "Splunk UDP:514 test" | nc -u localhost 514

Here is the "netstat -an" output from cygwin:

UDP 0.0.0.0:514 *:*

Tags (3)
0 Karma
1 Solution

woodcock
Esteemed Legend

It turns out that the only way to do it is to create an additional syslog instance inside the "SonicWALL Network Security" area. The other 2 "syslog" configurations have nothing to do with exporting syslog. I have it working now.

View solution in original post

0 Karma

woodcock
Esteemed Legend

It turns out that the only way to do it is to create an additional syslog instance inside the "SonicWALL Network Security" area. The other 2 "syslog" configurations have nothing to do with exporting syslog. I have it working now.

0 Karma

bmacias84
Champion

Ok, I have no idea what Security, Policies, etc. are configured, so here are my trouble shooting steps on Windows. Also did you apply your Windows Firewall Exception to all Profiles (Private, Domain, Public)?

  • If Firewall is Enabled on Windows. Configure firewall logs and review.
  • Verify Windows Event View log entries for port 514.
  • Try running Splunk as NT AUTHORITY\SYSTEM or NT AUTHORITY\LocalSystem. See if able to Splunk will Bind and Listen.
  • Configure Splunk to listen on Higher port
  • From a workstation or server in the same subnet try using of PortQryV2.exe (Windows Utility for TCP and UDP).
  • Netstat -a -n -o Will give PID of processes using those ports.
0 Karma

woodcock
Esteemed Legend

The documentation online for windows server 2008 says to use Group Policy Management to enable firewall logging but the component required is not there ("Firewall Settings for Windows Servers"). The Windows help on the macine itself says to enable firewall logging through the "Windows Firewall with Advanced Security" Control Panel but this too lacks any ability to modify the settings as explained (there is no "Customize" object to click under "Logging"). I am at a total dead end to enable logging and the logfile that is listed has not been updated since 2009 so I know logging is off.

0 Karma

woodcock
Esteemed Legend

I created a Windows firewall exception "SonicWall Syslog" that allows UDP port 514 for all computers on my local network. I still get nothing and the netcat test still hangs.

0 Karma

woodcock
Esteemed Legend

Splunk instance running as system administrator user "admin". Windows firewall is on.

0 Karma

bmacias84
Champion

Is your splunk instance running as a service account or System. Also are you running an Administrator? Also do you have windows firewall turned on?

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...