Installation

NEWBIE: Splunk as a syslog server

DStalker
New Member

Hopefully, someone could guide me through this process.

Newbie here. Pllease bear with me with these lame questions. 😄

All I wanted to do is push my routers' logs pointing to the Syslog server.

Can I implement this using Splunk without a good background in programming? I know IP routing but not much on coding. I can configure all routers pointing to the syslog server.

What are the things I need to consider? From hardware to installation of splunk? What splunk should I need to subscribe if I only wanted to implement a syslog server? 

Do we have a step-by-step tutorial on how do we implement this by beginners point-of-view?

Thank you so much. Appreciate someone could help me.

God bless and Keep safe guys!

 

Labels (2)
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @DStalker,

Splunk has inside the function of syslog server and a dedicated app to do this: Splunk Connect for Syslog (https://splunkbase.splunk.com/app/4740/) and it isn't requested programming knowledge but a little Splunk knowledge.

To do this, at first you have to define if you want HA or not:

  • if yes you have to use two Heavy Forwarders and a Load Balancer,
  • if not, you need only one Load Balancer.

this is important because, as you know, you have to take syslogs when they arrive otherwise they are lost, so you need a system with two servers so at least there's always one of them active, also during failure or maintenence.

Anyway, the steps are the following (not HA):

  • make a list of your sources, identifying:
    • source address,
    • source hostname,
    • available protocol (TCP/UDP)
    • configurable ports (default 514, some appliances can set a different outport sone other cannot),
  • open the firewall routes between syslog sources and Heavy Forwarder,
  • install a server: also virtual, possibly Linux, with the normal requirements for Splunk,
  • install Splunk Enterprise: an heavy Forwarder is a Splunk instance where logs are forwarded to other Indexers,
  • configure HF to forward logs to indexers [Settings -- Forwardering and Receiving -- Forward Data]:
    • Forwarding default: Yes
    • Configure Forwarding: insert the addresses of your indexers,
  • install Splunk Connect for Syslog,
  • in Connect for Syslog  configure Inputs to ingest the logs from the listed syslog sources following the instructions in the App,
  • configure your syslog sources to send logs to the HF address using the configured port and protocol,
  • if you can configure the port in your syslog sources, use a different port for each kind of source (e.g. all Fortinet Firewalls on 515, all proxies on 516, etc...), otherwise leave 514 on all the sources.
  • Check the ingestion in Splunk running a simple search index=syslog_index (the index you configured in inputs.

If you want HA, it's only different the first part because you have to configure two HFs and the Load Balancer to distribute load between HFs, then you have to use the LB address as destination from your syslog sources.

if you search on Google, you can find a lot of documentation and videos about this, e.g.:

https://docs.splunk.com/Documentation/Splunk/8.2.1/Data/Monitornetworkports ,  

https://www.splunk.com/en_us/blog/tips-and-tricks/splunk-connect-for-syslog-turnkey-and-scalable-sys...

https://www.youtube.com/watch?v=BQU-bsSCXhk , 

Ciao.

Giuseppe

0 Karma

Stefanie
Builder

Hey, I know barely little on programming but we have four syslog servers which accept logs and forward to Splunk.

 

How we do it, we have a server we designate as a "syslog server" with a universal forwarder on it. 

In the /etc/rsyslog.d/external.conf we have rulesets and inputs configured for the types of servers we have.

Since you will only forward logs for routers, I doubt yours would be complicated 🙂

After configuring your syslog, then you can configure the inputs.conf to monitor that directory.

 

The free version of Splunk should be more than enough to monitor your router's logs. So you shouldn't have to install a universal forwarder on a separate machine,  and then forward that to your Splunk server.

Hope this helps, let me know if you need a little more guidance.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...