Hey all, I just wanted to get people's opinion on the best method for getting firewall data into Splunk. We have firewall logs coming via syslog. We are using Rsyslog and its working fine. The data for the firewall is coming into a central point which then forwards it to our heavy forwarders.
So the data path looks like this (firewall) > (firewall log collection node) > (load balancer) > (HF) > Indexer
The catch to all of it is, the host coming into Splunk was the firewall log collection node instead of the firewall itself. To get the host name of the firewall, we can extract that from the message. The question is, where is it better to extract that?
The messages look like this:
blah blah blah originsicname=CN\=THIS_IS_THE_HOSTNAME,O\=somethingelse sequencenum=3291 some more blah blah blah
Option 1: Let rsyslog do it.
The messages come in and we have a regex routine in rsyslog that extracts the host from the logs and places it in a folder path that contains the host. The template and rsyslog script is below.
if you are able to extract and write the source firewall_hostname in absolute path of log file and you shall be running Splunk UF on the host where *.log files being written. Then use host_segment setting in inputs.conf to override the default host field.