i want to get data from my juniper firwall , i set a configuration of juniper and i mention the port and the ip adresse of the server
than i choose in splunk, add data from tcp port ,and i set the port and the ip adress of juniper
but it does'nt work ,i don't see the syslog in th summary of search
please tell if this procedure is correct , or if i miss something
Do you see anything with this:
index=_internal sourcetype="splunkd" component="Metrics" "your juniper fw ip address"
if there is nothing then your juniper is not sending data (logging profile or firewall rule to be created)
if there is something then try :
index="*" NOT index="_*" "your juniper fw ip address"
to see if you have any data and what sourcetype it has and which index it's in.
well it seems in log extract you paste earlier your ssg is sending in UDP or splunk is listening in udp:
_udp_bps=0.00, _udp_kbps=0.00, _udp_avg_thruput=0.00, _udp_kprocessed=0.00, _udp_eps=0.00
then to be sure you get the data i would create in splunk 2 data inputs: one tcp one udp...on the port number you specified in your ssg
could you please comment on previous answer rather than creating new answer everytime...
are you sure you sending via UDP and haven't tick TCP?
I would create a Manager >> Data inputs >> TCP >> New on the same port as udp(5410) to be sure.
Does not the Metrics data indicate that you have set your splunk to listen to UDP (and you yourself say that your firewall is sending TCP)?
Make sure that you are listening for the type of traffic you are sending.
that's what i got when i put the first expression
6 events like this one
1 » 4/3/12 11:40:58.727 AM 04-03-2012 11:40:58.727 +0200 INFO Metrics - group=udpin_connections, 192.168.0.111:5410, sourcePort=5410, _udp_bps=0.00, _udp_kbps=0.00, _udp_avg_thruput=0.00, _udp_kprocessed=0.00, _udp_eps=0.00host=lab2008 Options| sourcetype=splunkd Options| source=C:\Program Files\Splunk\var\log\splunk\metrics.log Options
and when i put the second expression , it doesn't give me anything
what i should do ??