Solved: Syslog from Cisco ASA directly into SPLUNK on Ubun...

jsmander · ‎10-05-2012

Hi all

Let me preface this with. I am new to SPLUNK - I installed it 2 hours ago & I think it's great.
I have tried to find the answers from the docs and other posts, but can't find something that will make it work.

SETUP:
SPLUNK 4.3.4 installed on Ubuntu 12.04 64 bit Server. Installed using tgz not deb file.
Installed as user to /home/john/opt not as sudo to /opt

SUCCESS:
Have added Data Source from local folder /var/log & this works great SPLUNK has indexed it and made it searchable

NEXT STEP:

To add my Cisco ASA as a data source. Now I've tried Add > Data Input > UDP > 514 ... but I get the error message "Encountered the following error while trying to save: In handler 'udp': Parameter name: UDP port 514 is not available"

Running netstat -tuna on the Ubuntu Server confirms UDP/514 is not listening. I wanted the SPLUNK server to open that port and "manage" it. I want to keep things as simple as possible and not install another syslog server and then forward onto SPLUNK. What is the most simple solution? Any guides or links much appreciated.

Thanks,
JSM

DETAILED Cisco Commands applied to ASA:

logging enable

logging buffer-size 16096

logging buffered warnings

logging trap notifications

logging history notifications

logging asdm warnings

logging host inside monitoring

NB "monitoring" is my SPLUNK Server 192.168.1.48

This means my Cisco ASA is sending Syslog messages to the Ubuntu Server.

dwaddle · ‎10-05-2012

Are you running Splunk as root? If not, you can't listen on ports < 1024. You could make Splunk like on something like 5140 and tell the ASA to use that UDP port instead.

Also, ubuntu has an iptables-based firewall by default. You'll need to poke the necessary holes for the UDP data to flow.

View solution in original post

bmacias84 · ‎10-05-2012

Question, was that server already in uses?

Two thoughts: First tje most likely reason for the error is an application on that server already uses that port on the splunk host. Second it could be a permission issue, try starting splunk using sudo ./splunk start. If that works you have a permission issue with accessing priivleged ports.

Note: If you installed Splunk with a non-root user on Linux typically you cant listen to port below 1024.

Suggestions if permission issue:

Try using iptables as a work around.
Give Splunk splunk user root rights
Use setcap setcap CAP_NET_BIND_SERVICE or authbind
Change you ASA syslog port for Splunk to a higher port like 5447



#for setcap

setcap 'cap_net_bind_service=+ep' /opt/splunk/bin/splunk

#not sure of syntax for authbind.

Other docs:
Ubuntu authbind manpage
Linux Capabilities manpage
Stack overflow non-root access privileged ports

dwaddle · ‎10-06-2012

The capabilities thing looks totally boss. Need to look into this further. Thanks for the info!

dwaddle · ‎10-05-2012

Are you running Splunk as root? If not, you can't listen on ports < 1024. You could make Splunk like on something like 5140 and tell the ASA to use that UDP port instead.

Also, ubuntu has an iptables-based firewall by default. You'll need to poke the necessary holes for the UDP data to flow.

jsmander · ‎10-06-2012

Hi. I used the following commands to forward UDP 514 to UDP 5140 & Setup SPLUNK to collect data on 5140. It worked great. Thanks
sudo iptables -t nat -I PREROUTING --src 0/0 --dst 192.168.1.48 -p udp --dport 514 -j REDIRECT --to-ports 5140

kristian_kolb · ‎10-05-2012

and if you have weird/old appliances where you cannot use a port other than 514, you could set up local port forwarding from 514 to your chosen high port.

Syslog from Cisco ASA directly into SPLUNK on Ubuntu 12.04 64bit Server

Infographic provides the TL;DR for the 2024 Splunk Career Impact Report

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?