Getting Data In

getting syslog from juniper firwall

sarah89
Path Finder

hello

i want to get data from my juniper firwall , i set a configuration of juniper and i mention the port and the ip adresse of the server
than i choose in splunk, add data from tcp port ,and i set the port and the ip adress of juniper
but it does'nt work ,i don't see the syslog in th summary of search
please tell if this procedure is correct , or if i miss something

thk's

0 Karma

MarioM
Motivator

Do you see anything with this:

index=_internal sourcetype="splunkd" component="Metrics" "your juniper fw ip address"

if there is nothing then your juniper is not sending data (logging profile or firewall rule to be created)

if there is something then try :

index="*" NOT index="_*" "your juniper fw ip address"

OR

index="*" sourcetype="jun*"

to see if you have any data and what sourcetype it has and which index it's in.

0 Karma

MarioM
Motivator

well it seems in log extract you paste earlier your ssg is sending in UDP or splunk is listening in udp:
_udp_bps=0.00, _udp_kbps=0.00, _udp_avg_thruput=0.00, _udp_kprocessed=0.00, _udp_eps=0.00

then to be sure you get the data i would create in splunk 2 data inputs: one tcp one udp...on the port number you specified in your ssg

0 Karma

sarah89
Path Finder

i'm sending via tcp port not udp

0 Karma

MarioM
Motivator

could you please comment on previous answer rather than creating new answer everytime...

are you sure you sending via UDP and haven't tick TCP?

I would create a Manager >> Data inputs >> TCP >> New on the same port as udp(5410) to be sure.

0 Karma

sarah89
Path Finder

it's an ssg 20

0 Karma

kristian_kolb
Ultra Champion

Does not the Metrics data indicate that you have set your splunk to listen to UDP (and you yourself say that your firewall is sending TCP)?

Make sure that you are listening for the type of traffic you are sending.

/k

0 Karma

MarioM
Motivator

which juniper firewall products you have? is it juniper SRX?

if it is then to get SRX logs see Juniper KB16634 and KB16224.

0 Karma

sarah89
Path Finder

that how i configure my firewall, can you take a look on this please
http://kb.juniper.net/InfoCenter/index?page=content&id=KB4759

0 Karma

MarioM
Motivator

your juniper isnot sending anything :

_udp_bps=0.00, _udp_kbps=0.00, _udp_avg_thruput=0.00, _udp_kprocessed=0.00, _udp_eps=0.00

then you have to check your juniper

0 Karma

sarah89
Path Finder

that's what i got when i put the first expression
6 events like this one

1 » 4/3/12
11:40:58.727 AM  04-03-2012 11:40:58.727 +0200 INFO  Metrics - group=udpin_connections, 192.168.0.111:5410, sourcePort=5410, _udp_bps=0.00, _udp_kbps=0.00, _udp_avg_thruput=0.00, _udp_kprocessed=0.00, _udp_eps=0.00host=lab2008   Options|  sourcetype=splunkd   Options|  source=C:\Program Files\Splunk\var\log\splunk\metrics.log   Options

and when i put the second expression , it doesn't give me anything

what i should do ??

0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...

Federated Search for Amazon S3 | Key Use Cases to Streamline Compliance Workflows

Modern business operations are supported by data compliance. As regulations evolve, organizations must ...