Hello,
We have some appliances data/logs, require me to send/receive those logs with SYSLOG. I have a server to receive those logs and I also know we need to use TCP/UDP port. How would I proceed? What else I need to have, and those logs need to have any specific format? Any help/recommendations will be highly appreciated.
Thank you so much!
Hi @SplunkDash,
this means that, if you're ingesting checkpoint logs, you have to install in the Splunk server you're using for syslog capture (usually Heavy Forwarders) a Technical Add-On (called usually TA) that you can download from apps.splunk.com.
If there isn't a TA for your technology, you have to manually build your TA for parse your logs.
Sourcetype doesn't depends on the data format but on the source technology you're ingesting.
The port to assing in the Data Input must be the same that you have in the source system, by default 514.
Ciao.
Giuseppe
Hi, I'm trying to connect my router's syslog to Splunk enterprise on my Mac as a "hello world," to see Splunk in action.
I have installed Splunk>enterprise and started that successfully. I opened 127.0.0.1:8000 and added a UDP data input with port 514 and a source type "syslog". It is enabled.
On my router I have logged in and configured the syslog to be sent to my mac's internal ip address 192.168.1.244:514 (the one on ethernet, all other network cards on this mac are down) with log level L0--Emergency.
I know UDP isn't perfect and drops packets but my Mac is up continuously and I expected this to send all logs to my Mac port 514 to be captured by Splunk enterprise that is running.
However in Splunk I am only getting a 2 events (found by searching for the number "0"). 14 devices are on my network (including iPhones, iPads, Macs, windows, watch, HomePods, as well as some iot devices like a Blink! camera hub with 4 cameras.) so I would expect a lot of traffic on the syslog
Do you have any suggestions as to how to see more (or generate more) in the log... I was hoping to check email on my iPhone or do a google search and see some connections to the server.
Hi @rh71rdu,
as you said UDP isn't the best way to send data, but anyway, maybe your pc is overbooked and there's a queue problem.
Anyway, analyzing point by point:
Ciao.
Giuseppe
P.S.: Karma Points are appreciated 😉
Hi @SplunkDash,
you have to follow the instructions at https://docs.splunk.com/Documentation/Splunk/latest/Data/Monitornetworkports
in few words, you have to:
searching on Splunk "index=your_index host=your_host", you can check if you're receiving logs.
It's also useful to use the Splunk Connect for Syslog App (https://splunkbase.splunk.com/app/4740/) that helps you in syslog ingestion.
About format, it depends on the specific kind of logs, it's useful to use a Technical Add-On for the technology you're using that you can find at apps.splunk.com.
Ciao.
Giuseppe
Hello,
Thank you so much, appreciated your support in these efforts. I have a couple of questions
* sourcetype (it depends on the logs you're ingesting) ....what does mean by "depends on log types" here.....you meant.......we need to assign source type based on data format.
* Do we need to assign Port at the receiving end as well....?
Hi @SplunkDash,
as I said, if you're using a standard TA (from Splunkbase), you have to assign a specific sourcetype to your logs that is specific for the kind of your logs, e.g.cisco:asa is mandatory in this format and different than cisco-asa, otherwise the transformations a parsing actions will not be delivered.
If you see in the inputs.conf, you have to define the port to use for logs receiving and it must be the same in source configuration: in Splunk this port is configurable, instead not all the appliances can choose the port to use, anyway, obviously it must be the same in source and receiver.
Ciao.
Giuseppe
Hi @SplunkDash,
this means that, if you're ingesting checkpoint logs, you have to install in the Splunk server you're using for syslog capture (usually Heavy Forwarders) a Technical Add-On (called usually TA) that you can download from apps.splunk.com.
If there isn't a TA for your technology, you have to manually build your TA for parse your logs.
Sourcetype doesn't depends on the data format but on the source technology you're ingesting.
The port to assing in the Data Input must be the same that you have in the source system, by default 514.
Ciao.
Giuseppe
Hello @gcusello,
I have a general question on using TA available in SPLUNKBASE.
What is the best practice to bring the data in: Use TA if possible if possible Or use Splunk agents (UF/HF, REST API, HEC); why? Any detail would be highly appreciated. Thank you so much as always.
Hi @SplunkDash,
this is a different question and I hint to create a new one so more people can answer quicker and probably better than me.
Anyway, if possible use always Universal Forwarder to take logs, because in this way you have many advantages (caching in fail lover, autoloadbalancing, bandwidth optimization, etc...)
REST API are usually used for special Use Cases (e.g. extraction of data from external systems (e.g. cloud environments).
HEC is used for applications.
Syslog is used when you haven't other opportunities and usually from appliances that are closed and not modifiable.
At least, use WMI only when you haven't any other way to extract logs from Windows, and possibly avoid it!
Anyway, Splunkbase's TAs are used not only to input data but also to parse them, infact they are used on Forwarders but also on Indexers and Search Heads.
Ciao.
Giuseppe
Hello @gcusello
Would it be possible to have some details on SPLUNK default 8000, 8089, and 9997 ports. I know 8000 is a web port, 8089 is management, and 9997 is for data receiving/forwarding. But it would be great if you are kind enough to have more details on those ports. Thank you so much and appreciate your support in these efforts.
Hello @gcusello.
I am extremely sorry, there was a typo in my last message, my sincere apologies! Now resending that message again. Thank you!
Would it be possible to have some details on SPLUNK default 8000, 8089, and 9997 ports? I know 8000 is a web port, 8089 is management, and 9997 is for data receiving/forwarding. But it would be great if you are kind enough to have more details on those ports. Thank you so much and appreciate your support in these efforts.
Hi @SplunkDash,
Sorry, but I don't understand which kind of datails you wait, anyway, here you can find a description of all ports used by Splunk: https://community.splunk.com/t5/Deployment-Architecture/Diagram-of-Splunk-Common-Network-Ports/m-p/1...
Ciao.
Giuseppe
Hello @gcusello,
Sorry not that detailed on my previous Email.
Actually, I meant, when should we use each of those ports? Thank you so much again.
Hi @SplunkDash,
as you can read in the above link, it depends on what you want to do:
If you haven't any special request (e.g. having both forwarders with and without SSL), my hint is to use the default ports.
It's the same thing when you study operative system ports, You have to know that there are these ports and that you can use them for a purpose.
Ciao.
Giuseppe