Installation

newbie question on how to setup splunk to receive logs from Ubiquiti routers, switches and the controller

borjales
Engager

Hi,

Is there a step-by-step procedure to know how I can setup the Ubiquiti routers, switches and the controller to send logs to Splunk? I am new and lack knowledge in how to set it up. I am using the trial version of Cloud Platform. What is your recommended approach if there are no guidelines? Thanks.

Best,

Borjales

Labels (1)
0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi @borjales,

On splunkbase there are two add-ons that surely will help you in this job:

Ubiquity add-on for Splunk https://splunkbase.splunk.com/app/4107/

Ubiquity UNMSadd-on for Splunk https://splunkbase.splunk.com/app/5033/

Anyway, if Ubiquity logs are sent by syslog, you have to enable network inputs (UDP ot TCP) on your Splunk Indexer ot Hevy Forwarder [Settings -- data Inputs -- TCP or UDP ]

In addition, you can find information at:

https://splunk-connect-for-syslog.readthedocs.io/en/latest/sources/Ubiquiti/

https://community.ui.com/questions/Forwarding-logs-to-Splunk/146585bf-c903-4892-b285-9958c78ce4be

Ciao.

Giuseppe

 

View solution in original post

borjales
Engager

Thanks a lot for the swift response, Giuseppe and Jschogel,

I was hoping to push the syslogs from the switches and routers via port 512 without any intermediaries such as a syslog server. Is this possible? I will look into the information Giuseppe includes as it look as if this is indeed possible.

Best,
Borjales

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @borjales,

yes, it's possible. Splunk can work as a syslogs server to ingest syslogs.

You can find this feature as a basic Splunk Enterprise feature or (better) using the Syslog Connect App (https://splunkbase.splunk.com/app/4740/).

You can enable the feaure on Indexers or on a dedicated Splunk server called Heavy Forwarder, that's a full Splunk installation that forwards all data to the indexers.

The choice to have a dedicated server for this role, obviously depends on the volume of syslogs.

To complete the architecture, for HA reasons, it's better to enable syslog ingesting on two Splunk Servers (Indexers or HFs), putting in front of them a Load Balancer to manage load balancing and fail over (as you know you can take syslogs only when they are sent, but you loose them if you have a problem on the receiver).

If this answer solves your problem, please, accept it for the other people of Community.

Ciao.

Giuseppe

P.S.: Karma Points are appreciated 😉

gcusello
SplunkTrust
SplunkTrust

Hi @borjales,

On splunkbase there are two add-ons that surely will help you in this job:

Ubiquity add-on for Splunk https://splunkbase.splunk.com/app/4107/

Ubiquity UNMSadd-on for Splunk https://splunkbase.splunk.com/app/5033/

Anyway, if Ubiquity logs are sent by syslog, you have to enable network inputs (UDP ot TCP) on your Splunk Indexer ot Hevy Forwarder [Settings -- data Inputs -- TCP or UDP ]

In addition, you can find information at:

https://splunk-connect-for-syslog.readthedocs.io/en/latest/sources/Ubiquiti/

https://community.ui.com/questions/Forwarding-logs-to-Splunk/146585bf-c903-4892-b285-9958c78ce4be

Ciao.

Giuseppe

 

nyc_jason
Splunk Employee
Splunk Employee

Have a look at this addon:

https://splunkbase.splunk.com/app/4107

basically, send ubiquiti data via syslog to a syslog server, where you can have a Splunk UF monitor it and send to the cloud.

 

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...