Installation

How to send Logs with SYSLOG?

SplunkDash
Motivator

Hello,

We have some appliances data/logs, require me to send/receive those logs with SYSLOG. I have a server to receive those logs and I also know we need to use TCP/UDP port.   How would I proceed? What else I need to have, and those logs need to have any specific format?    Any help/recommendations will be highly appreciated.

Thank you so much!

 

Labels (1)
0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi @SplunkDash,

this means that, if you're ingesting checkpoint logs, you have to install in the Splunk server you're using for syslog capture (usually Heavy Forwarders) a Technical Add-On (called usually TA) that you can download from apps.splunk.com.

If there isn't a TA for your technology, you have to manually build your TA for parse your logs.

Sourcetype doesn't depends on the data format but on the source technology you're ingesting.

The port to assing in the Data Input must be the same that you have in the source system, by default 514.

Ciao.

Giuseppe

View solution in original post

rh71rdu
Explorer

Hi, I'm trying to connect my router's syslog to Splunk enterprise on my Mac as a "hello world," to see Splunk in action. 

I have installed Splunk>enterprise and started that successfully. I opened 127.0.0.1:8000 and added a UDP data input with port 514 and a source type "syslog". It is enabled.

On my router I have logged in and configured the syslog to be sent to my mac's internal ip address 192.168.1.244:514 (the one on ethernet, all other network cards on this mac are down) with log level L0--Emergency. 

I know UDP isn't perfect and drops packets but my Mac is up continuously and I expected this to send all logs to my Mac port 514 to be captured by Splunk enterprise that is running.

However in Splunk I am only getting a 2 events (found by searching for the number "0"). 14 devices are on my network (including iPhones, iPads, Macs, windows, watch, HomePods, as well as some iot devices like a Blink! camera hub with 4 cameras.) so I would expect a lot of traffic on the syslog

Do you have any suggestions as to how to see more (or generate more) in the log... I was hoping to check email on my iPhone or do a google search and see some connections to the server.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @rh71rdu,

as you said UDP isn't the best way to send data, but anyway, maybe your pc is overbooked and there's a queue problem.

Anyway, analyzing point by point:

  • the connection is active, infact you're receiving data,
  • if you don't receive data from another device, check the connection by telnet,
  • check the traffic on your pc (tcpdump), 
  • what is the configuration of your pc? rememeber that Splunk Enterprise requires a lot of resources,
  • try to use different ports for different sources.

Ciao.

Giuseppe

P.S.: Karma Points are appreciated 😉

gcusello
SplunkTrust
SplunkTrust

Hi @SplunkDash,

you have to follow the instructions at https://docs.splunk.com/Documentation/Splunk/latest/Data/Monitornetworkports

in few words, you have to:

  • choose a port on your sender (some systems can send logs only on port 514)
  • choose a protocol on your sender (TCP ot UDP),
  • check the routes between sender and receiver for that protocol and that port,
  • enable on your Splunk receiver a network input [Settings -- Inputs -- Network inouts]
  • associate to the network input:
    • port,
    • protocol, 
    • sourcetype (it depends on the logs you're ingesting),
    • index (where you want to store the logs),
    • host (the hostname or the IP address of the source),
    • source (the source name),
  • enable on your sender the log sending.

searching on Splunk "index=your_index host=your_host", you can check if you're receiving logs.

It's also useful to use the Splunk Connect for Syslog App (https://splunkbase.splunk.com/app/4740/) that helps you in syslog ingestion.

About format, it depends on the specific kind of logs, it's useful to use a Technical Add-On for the technology you're using that you can find at apps.splunk.com.

Ciao.

Giuseppe

SplunkDash
Motivator

Hello,

Thank you so much, appreciated your support in these efforts. I have a couple of questions

sourcetype (it depends on the logs you're ingesting) ....what does mean by "depends on log types" here.....you meant.......we need to assign source type based on data format.

* Do we need to assign Port at the receiving end as well....?

 

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @SplunkDash,

as I said, if you're using a standard TA (from Splunkbase), you have to assign a specific sourcetype to your logs that is specific for the kind of your logs, e.g.cisco:asa is mandatory in this format and different than cisco-asa, otherwise the transformations a parsing actions will not be delivered.

If you see in the inputs.conf, you have to define the port to use for logs receiving and it must be the same in source configuration: in Splunk this port is configurable, instead not all the appliances can choose the port to use, anyway, obviously it must be the same in source and receiver.

Ciao.

Giuseppe

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @SplunkDash,

this means that, if you're ingesting checkpoint logs, you have to install in the Splunk server you're using for syslog capture (usually Heavy Forwarders) a Technical Add-On (called usually TA) that you can download from apps.splunk.com.

If there isn't a TA for your technology, you have to manually build your TA for parse your logs.

Sourcetype doesn't depends on the data format but on the source technology you're ingesting.

The port to assing in the Data Input must be the same that you have in the source system, by default 514.

Ciao.

Giuseppe

SplunkDash
Motivator

Hello @gcusello,

I have a general question on using TA available in SPLUNKBASE.

What is the best practice to bring the data in:  Use TA if possible if possible Or use Splunk agents (UF/HF, REST API, HEC); why? Any detail would be highly appreciated. Thank you so much as always.

 

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @SplunkDash,

this is a different question and I hint to create a new one so more people can answer quicker and probably better than me.

Anyway, if possible use always Universal Forwarder to take logs, because in this way you have many advantages (caching in fail lover, autoloadbalancing, bandwidth optimization, etc...)

REST API are usually used for special Use Cases (e.g. extraction of data from external systems (e.g. cloud environments).

HEC is used for applications.

Syslog is used when you haven't other opportunities and usually from appliances that are closed and not modifiable.

At least, use WMI only when you haven't any other way to extract logs from Windows, and possibly avoid it!

Anyway, Splunkbase's TAs are used not only to input data but also to parse them, infact they are used on Forwarders but also on Indexers and Search Heads.

Ciao.

Giuseppe

SplunkDash
Motivator

Hello @gcusello 

Would it be possible to have some details on SPLUNK default 8000, 8089, and 9997 ports. I know 8000 is a web port, 8089 is management, and 9997 is for data receiving/forwarding. But it would be great if you are kind enough to have more details on those ports. Thank you so much and appreciate your support in these efforts. 

0 Karma

SplunkDash
Motivator

Hello @gcusello.

I am extremely sorry, there was a typo in my last message, my sincere apologies! Now resending that message again. Thank you!

Would it be possible to have some details on SPLUNK default 8000, 8089, and 9997 ports? I know 8000 is a web port, 8089 is management, and 9997 is for data receiving/forwarding. But it would be great if you are kind enough to have more details on those ports. Thank you so much and appreciate your support in these efforts. 

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @SplunkDash,

Sorry, but I don't understand which kind of datails you wait, anyway, here you can find a description of all ports used by Splunk: https://community.splunk.com/t5/Deployment-Architecture/Diagram-of-Splunk-Common-Network-Ports/m-p/1...

Ciao.

Giuseppe

SplunkDash
Motivator

Hello @gcusello,

 Sorry not that detailed on my previous Email.

Actually, I meant, when should we use each of those ports? Thank you so much again. 

 

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @SplunkDash,

as you can read in the above link, it depends on what you want to do:

  • to access GUI interface, you use port 8000,
  • to send data 9997,
  • etc...

If you haven't any special request (e.g. having both forwarders with and without SSL), my hint is to use the default ports.

It's the same thing when you study operative system ports, You have to know that there are these ports and that you can use them for a purpose.

Ciao.

Giuseppe

Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

Industry Solutions for Supply Chain and OT, Amazon Use Cases, Plus More New Articles ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...