Hi, what's the proper config regarding Data inputs to use the Splunk for Cisco Firewalls app on data received from a forwarder?
In the app setup (using Splunk Web) it only gives options to get data from a TCP or UDP port. I'm using the most recent Splunk for Cisco Firewalls app 1.0.0 and Splunk 4.2. My forwarder has several Data inputs defined as log files on its local machine. It is not, and I don't want it to do, indexing. Also should the app be installed on the Indexer, or both the forwarder and indexer?
It depends on how your Cisco firewall messages are collected. As syslog over TCP/UDP is common for tranferring firewall messages, the app setup provides configuration for that. If that's the case, the app would need to be on both the forwarder and search head. If it's a full forwarder the app would need to go on the forwarder. If the inputs are on the indexer, then the app needs to be on the indexer.
You mention that your forwarder is monitoring several log files. I was curious to know if those files actually contain your firewall messages. If that's the case, I'm guessing your forwarder receives the syslog firewall messages and writes out to file. If you already have that logging established then the app lives on the search head and forwarder - no need to configure a TCP/UDP port.
Hi dleung, thanks for your help here. Yes the log files contain the firewall messages. However, the forwarder doesn't receive the firewall messages via syslog directly - syslog-ng receives the syslog messages from firewalls, writes them to log files, and the forwarder then monitors those log files. I'm using a heavy forwarder.
So now that I've explained this more clearly, would you still say I need the app installed on the heavy forwarder and the indexer? How do I associate the data inputs (log files) with the app, or is this not necessary and it's automatic?
Right now I only have the app installed on indexer. I didn't define any inputs for it because it only offers TCP or UDP inputs in it's Splunk Web Configuration. I made it visible, and the searches it offers seem to return results with fields extracted, but the built-in charts say no data. So I'm guessing I need to manually configure the heavy forwarder and indexer so the events get "associated" to the app and thus intelligence can be made out of the data properly.
But I can't find any documentation how to config Splunk/the app in my scenario using a heavy forwarder to monitor log files.
If you are using a Forwarder to get data into an Indexer, so long as the Indexer is set up to receive data on to the port which the Indexer is set to send data on, it should be arriving and indexed by your Indexer. It doesn't really matter what the inputs you have defined on your forwarder are, because it is going to send all of the data it gets over to your indexer. There is no reason to install the app on the Forwarder, it should be sufficient to install it on your Indexer. For details on how to set this up, please see:
Hi jb thanks for your help. I added more descriptions of my problem and my setup onto dleung's post above. I have it setup as you describe however charts don't show the data. If you have any further suggestions let me know, tia.
Are the events actually making it over to the indexer? If you look at the events via the search summary, do you see them there? If so, it could be that they aren't configured with the sourcetype that the app is running its searches on. I would take a look to see what the data coming in actually looks like and compare that with the searchs that the app uses.
SOLVED: I installed the Splunk for Cisco Firewalls app (and the Splunk for Cisco Security app - because this provides the views and searches to make use of the Splunk for Cisco Firewalls app) on BOTH my heavy forwarder and my indexer.
The install was needed on the forwarder in order for the data to get sourcetyped correctly and have fields extracted correctly, etc. With the app only installed on my indexer, the data was not getting its sourcetype, fields extracted etc. The install is indeed also needed on the indexer so you have an interface to the views, dashboards, searches etc that the Splunk for Cisco Security app provides. Perhaps it's possible you don't need the Splunk for Cisco Firewalls app installed on the indexer, and that you don't need the Splunk for Cisco Security app on the forwarder, but I didn't try this - I just have both installed on the forwarder and indexer.