Getting Data In

sysmon and syslog

tuts
Path Finder

Hello Splunk Community,

I am working on a project that uses Splunk, and I need your assistance in properly installing and configuring both Syslog and Sysmon to ensure efficient data collection and analysis.

Labels (2)
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @tuts,

for configuring syslog, you should follow the instructions at https://docs.splunk.com/Documentation/SplunkCloud/9.2.2403/Data/Monitornetworkports

for sysmon, you should download the Splunk Addon for Sysmon and follow the instructions at https://docs.splunk.com/Documentation/AddOns/released/MSSysmon/About

Ciao.

Giuseppe

tuts
Path Finder

Thank you engineer for me sysmon it worked and I received endpoint data but syslog did not work I want to know the links that the user visits and remove them from network sources

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @tuts ,

debug your situation:

  • are you sure that the routes between endpoints and the syslog receiver are open?
  • did you configured the syslog receiver as described in the above documentation (inputs)?
  • did you disabled the local firewall on the Splunk receiver?

For syslog, instead of the syslog receiving inside Splunk (Splunk Network Inputs) I hint to use an rsyslog receiver that writes syslogs on a file and then with Splunk you can read these files

Ciao.

Giuseppe

0 Karma

JohnEGones
Communicator

@tuts 

As with most things Splunk, the specifics will depend on the details of your environment and chosen deployment. In the question you asked, the Splunk DOCs are sufficient to give you a general idea, but without more details it is harder to give more specific advice.

If you're on-prem, then this is another example:

Monitor files and directories with inputs.conf - Splunk Documentation

Syslog data is sent over port 514, though it can also be configured to transmit and receive on another port and it is usually UDP, which means that they data is best effort but there is no transport guarantee, and so potentially you will lose logs.  Further, depend on your network environment and configuration, you will need to account for any switches and firewalls to ensure that they traffic is being transmitted and received between the source and the syslog receiver, and then the traffic between the syslog server and Splunk (if you have not already configured Splunk to directly receive syslog traffic (and this changes depending on whether this is a linux or windows environment.)

In the hint that Giuseppe gave above, RSYSLOG is a linux native solution that can be set-up to receive syslog data from remote hosts, and configured to deposit them to specific folders that can then be monitored by a UF agent on the syslog server host. 

0 Karma

tuts
Path Finder

It seems like you're looking to pull browser and mail syslog data in Splunk, but you're facing several problems. To clarify your request: you want to know the correct method to track users who have visited specific websites and made changes, correct?

0 Karma
Get Updates on the Splunk Community!

Demo Day: Strengthen Your SOC with Splunk Enterprise Security 8.1

Today’s threat landscape is more complex than ever. Security operation centers (SOCs) are overwhelmed with ...

Dashboards: Hiding charts while search is being executed and other uses for tokens

There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...