Getting Data In
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

SonicWall Viewpoint 6.0: export logs to Splunk via syslog (UDP port 514)?

woodcock
Esteemed Legend
‎12-03-2012 04:51 PM

I have configured this Windows Server 2008 software as indicated on this website:

https://www.fuzeqna.com/sonicwallkb/consumer/kbdetail.asp?kbid=7462

In case that link doesn't show, I did the following:

  • http://127.0.0.1/appliance/login
  • Select "Deployment", then "Roles", then "Single Server Configuration".
  • Click "Viewpoint" radio button.
  • Enter "514" in the "Single Server Port" textbox.
  • Enter "Database User" and "Database Password" (and "Confirm Database Password") fields.
  • Click "Update" button and wait a long time.

I am intending that this will export data through localhost (127.0.0.1) port 514 but I am confused by the whole "DB user" stuff which makes it look like perhaps this configuration is setting up an INPUT as opposed to an OUTPUT.

In any case, I setup a Splunk input listener on the viewpoint server machine with this inputs.conf configuration:

[udp://514]
sourcetype=sonicwall

I also tried "udp://localhost:514" and "udp://127.0.0.1:514".

I made sure to enable ports with these lines in default-mode.conf:

[pipeline:udp]
disabled=false

But I am not getting anything coming in to Splunk.
I have cygwin installed and when I am doing TCP ports, I can test with something like this:

echo "Splunk TCP:514 test" | nc localhost 514

If I keep everything the same but change all "tcp" strings to "udp" then this test works (I get a "Splunk TCP:514 test" event). However, if I use the UDP variant of this, it just hangs forever:

echo "Splunk UDP:514 test" | nc -u localhost 514

Here is the "netstat -an" output from cygwin:

UDP 0.0.0.0:514 *:*

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎12-06-2012 11:56 AM

It turns out that the only way to do it is to create an additional syslog instance inside the "SonicWALL Network Security" area. The other 2 "syslog" configurations have nothing to do with exporting syslog. I have it working now.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎12-06-2012 11:56 AM

It turns out that the only way to do it is to create an additional syslog instance inside the "SonicWALL Network Security" area. The other 2 "syslog" configurations have nothing to do with exporting syslog. I have it working now.

0 Karma
Reply
Solved! Jump to solution

bmacias84
Champion
‎12-04-2012 07:02 AM

Ok, I have no idea what Security, Policies, etc. are configured, so here are my trouble shooting steps on Windows. Also did you apply your Windows Firewall Exception to all Profiles (Private, Domain, Public)?

  • If Firewall is Enabled on Windows. Configure firewall logs and review.
  • Verify Windows Event View log entries for port 514.
  • Try running Splunk as NT AUTHORITY\SYSTEM or NT AUTHORITY\LocalSystem. See if able to Splunk will Bind and Listen.
  • Configure Splunk to listen on Higher port
  • From a workstation or server in the same subnet try using of PortQryV2.exe (Windows Utility for TCP and UDP).
  • Netstat -a -n -o Will give PID of processes using those ports.
0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎12-04-2012 09:30 PM

The documentation online for windows server 2008 says to use Group Policy Management to enable firewall logging but the component required is not there ("Firewall Settings for Windows Servers"). The Windows help on the macine itself says to enable firewall logging through the "Windows Firewall with Advanced Security" Control Panel but this too lacks any ability to modify the settings as explained (there is no "Customize" object to click under "Logging"). I am at a total dead end to enable logging and the logfile that is listed has not been updated since 2009 so I know logging is off.

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎12-04-2012 05:33 AM

I created a Windows firewall exception "SonicWall Syslog" that allows UDP port 514 for all computers on my local network. I still get nothing and the netcat test still hangs.

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎12-03-2012 09:10 PM

Splunk instance running as system administrator user "admin". Windows firewall is on.

0 Karma
Reply
Solved! Jump to solution

bmacias84
Champion
‎12-03-2012 05:41 PM

Is your splunk instance running as a service account or System. Also are you running an Administrator? Also do you have windows firewall turned on?

0 Karma
Reply
Get Updates on the Splunk Community!

AppDynamics is now part of Splunk Ideas

Hello Splunkers, We have exciting news for you! AppDynamics has been added to the Splunk Ideas Portal. Which ...

Advanced Splunk Data Management Strategies

Join us on Wednesday, May 14, 2025, at 11 AM PDT / 2 PM EDT for an exclusive Tech Talk that delves into ...

Uncovering Multi-Account Fraud with Splunk Banking Analytics

Last month, I met with a Senior Fraud Analyst at a nationally recognized bank to discuss their recent success ...
Top