Getting Data In

Splunk network monitoring

perfecto25
Path Finder

Hello, I am trying to figure out hwo we can use Splunk to monitor and report on our network,

specifically I need to catch network errors for things like,

  1. dropped packets or connections
  2. any kind of network error
  3. blockage by firewall or switch ACL
  4. any other form of connection data

I tried Splunk Stream, which gives us a lot of data of general chatter and bandwidth info, but its not very useful for detecting network errors or troubleshooting problems

Is there an app or examples on how to set something like this up? Thanks.

0 Karma

NetFlow_Logic
Contributor

You may need to collect the following data in Splunk:

*>dropped packets or connections
*>any kind of network error

You can get this information from SNMP polling/traps or sFlow counters or certain NetFlow/IPFIX records

*>blockage by firewall or switch ACL
syslogs or NetFlow data

*>any other form of connection data
NetFlow, sFlow, IPFIX

We are a Splunk partner and we provide all this data (except syslog, which is natively ingested by Splunk) with our product - NetFlow Optimizer.

Try it for free by visiting https://www.netflowlogic.com/download/

0 Karma

solarboyz1
Builder

Splunk is a data tool, for it to help you with those issues, you would need to provide the information required to identify the issue.

specifically I need to catch network errors for things like,

  1. dropped packets or connections

You will need to define what you mean here, packets are dropped on networks all the time.

  1. any kind of network error

  2. blockage by firewall or switch ACL

  3. any other form of connection data

0 Karma

solarboyz1
Builder

What I meant to say:

  1. dropped packets or connections
  2. any kind of network error
  3. blockage by firewall or switch ACL
  4. any other form of connection data

Configure switches/routers/firewall to syslog to your splunk instance.
Install the appropriate apps for the network devices used.

You can install streams and capture the metadata, or configure netflow collectors and send to streams.
All depends on what you have available and what you are trying to do.

But getting the logs from you network devices is probably a good first step and will meet many if not all of your needs.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...