Installation

newbie question on how to setup splunk to receive logs from Ubiquiti routers, switches and the controller

borjales
Engager

Hi,

Is there a step-by-step procedure to know how I can setup the Ubiquiti routers, switches and the controller to send logs to Splunk? I am new and lack knowledge in how to set it up. I am using the trial version of Cloud Platform. What is your recommended approach if there are no guidelines? Thanks.

Best,

Borjales

Labels (1)
0 Karma
1 Solution

gcusello
Legend

Hi @borjales,

On splunkbase there are two add-ons that surely will help you in this job:

Ubiquity add-on for Splunk https://splunkbase.splunk.com/app/4107/

Ubiquity UNMSadd-on for Splunk https://splunkbase.splunk.com/app/5033/

Anyway, if Ubiquity logs are sent by syslog, you have to enable network inputs (UDP ot TCP) on your Splunk Indexer ot Hevy Forwarder [Settings -- data Inputs -- TCP or UDP ]

In addition, you can find information at:

https://splunk-connect-for-syslog.readthedocs.io/en/latest/sources/Ubiquiti/

https://community.ui.com/questions/Forwarding-logs-to-Splunk/146585bf-c903-4892-b285-9958c78ce4be

Ciao.

Giuseppe

 

View solution in original post

borjales
Engager

Thanks a lot for the swift response, Giuseppe and Jschogel,

I was hoping to push the syslogs from the switches and routers via port 512 without any intermediaries such as a syslog server. Is this possible? I will look into the information Giuseppe includes as it look as if this is indeed possible.

Best,
Borjales

0 Karma

gcusello
Legend

Hi @borjales,

yes, it's possible. Splunk can work as a syslogs server to ingest syslogs.

You can find this feature as a basic Splunk Enterprise feature or (better) using the Syslog Connect App (https://splunkbase.splunk.com/app/4740/).

You can enable the feaure on Indexers or on a dedicated Splunk server called Heavy Forwarder, that's a full Splunk installation that forwards all data to the indexers.

The choice to have a dedicated server for this role, obviously depends on the volume of syslogs.

To complete the architecture, for HA reasons, it's better to enable syslog ingesting on two Splunk Servers (Indexers or HFs), putting in front of them a Load Balancer to manage load balancing and fail over (as you know you can take syslogs only when they are sent, but you loose them if you have a problem on the receiver).

If this answer solves your problem, please, accept it for the other people of Community.

Ciao.

Giuseppe

P.S.: Karma Points are appreciated 😉

gcusello
Legend

Hi @borjales,

On splunkbase there are two add-ons that surely will help you in this job:

Ubiquity add-on for Splunk https://splunkbase.splunk.com/app/4107/

Ubiquity UNMSadd-on for Splunk https://splunkbase.splunk.com/app/5033/

Anyway, if Ubiquity logs are sent by syslog, you have to enable network inputs (UDP ot TCP) on your Splunk Indexer ot Hevy Forwarder [Settings -- data Inputs -- TCP or UDP ]

In addition, you can find information at:

https://splunk-connect-for-syslog.readthedocs.io/en/latest/sources/Ubiquiti/

https://community.ui.com/questions/Forwarding-logs-to-Splunk/146585bf-c903-4892-b285-9958c78ce4be

Ciao.

Giuseppe

 

View solution in original post

jschogel_splunk
Splunk Employee
Splunk Employee

Have a look at this addon:

https://splunkbase.splunk.com/app/4107

basically, send ubiquiti data via syslog to a syslog server, where you can have a Splunk UF monitor it and send to the cloud.

 

Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!