Hello Splunk Community,
I am working on a project that uses Splunk, and I need your assistance in properly installing and configuring both Syslog and Sysmon to ensure efficient data collection and analysis.
Hi @tuts,
for configuring syslog, you should follow the instructions at https://docs.splunk.com/Documentation/SplunkCloud/9.2.2403/Data/Monitornetworkports
for sysmon, you should download the Splunk Addon for Sysmon and follow the instructions at https://docs.splunk.com/Documentation/AddOns/released/MSSysmon/About
Ciao.
Giuseppe
Thank you engineer for me sysmon it worked and I received endpoint data but syslog did not work I want to know the links that the user visits and remove them from network sources
Hi @tuts ,
debug your situation:
For syslog, instead of the syslog receiving inside Splunk (Splunk Network Inputs) I hint to use an rsyslog receiver that writes syslogs on a file and then with Splunk you can read these files
Ciao.
Giuseppe
@tuts
As with most things Splunk, the specifics will depend on the details of your environment and chosen deployment. In the question you asked, the Splunk DOCs are sufficient to give you a general idea, but without more details it is harder to give more specific advice.
If you're on-prem, then this is another example:
Monitor files and directories with inputs.conf - Splunk Documentation
Syslog data is sent over port 514, though it can also be configured to transmit and receive on another port and it is usually UDP, which means that they data is best effort but there is no transport guarantee, and so potentially you will lose logs. Further, depend on your network environment and configuration, you will need to account for any switches and firewalls to ensure that they traffic is being transmitted and received between the source and the syslog receiver, and then the traffic between the syslog server and Splunk (if you have not already configured Splunk to directly receive syslog traffic (and this changes depending on whether this is a linux or windows environment.)
In the hint that Giuseppe gave above, RSYSLOG is a linux native solution that can be set-up to receive syslog data from remote hosts, and configured to deposit them to specific folders that can then be monitored by a UF agent on the syslog server host.
It seems like you're looking to pull browser and mail syslog data in Splunk, but you're facing several problems. To clarify your request: you want to know the correct method to track users who have visited specific websites and made changes, correct?