Monitoring Splunk
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Logging in Splunk Enterprise

gayathrc
Engager
‎11-12-2023 07:16 PM

Hi! This is a very basic question. First time working with Splunk Enterprise Platform.

How do you actually go about switching on the feature to log network traffic coming into an internal network with a specific IP range? I essentially want for Splunk Enterprise to act as a logger for all traffic that enters the internal network on a certain port, for example. How do I go about it?

FYI - I do not want to use the Forwarder or upload log files function.

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

inventsekar
SplunkTrust
SplunkTrust
‎11-13-2023 02:29 AM

Hi @gayathrc ... I believe you have some network devices, you want to monitor/send the network devices logs to Splunk. 

if so, you may use a syslog tool, to forward the logs to a "heavy forwarder"(HF), and then, from HF, you can send the logs to Splunk indexer. 

if this is just a small POC project or use-case testing, then, you can achieve it without HF(or even without syslog)(but there will be data loss issues).

Please provide some more details about the requirements, thanks.   

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

inventsekar
SplunkTrust
SplunkTrust
‎11-13-2023 02:29 AM

Hi @gayathrc ... I believe you have some network devices, you want to monitor/send the network devices logs to Splunk. 

if so, you may use a syslog tool, to forward the logs to a "heavy forwarder"(HF), and then, from HF, you can send the logs to Splunk indexer. 

if this is just a small POC project or use-case testing, then, you can achieve it without HF(or even without syslog)(but there will be data loss issues).

Please provide some more details about the requirements, thanks.   

0 Karma
Reply
Solved! Jump to solution

gayathrc
Engager
‎11-13-2023 07:06 AM

Hi @inventsekar - you guessed it right! I'm only looking to use Splunk for a small Network Forensics project where I need to demo an attack on an internal network. For this purpose, I need to log the events and ensure that one such events sends out an Event Alert from Splunk. This will aid in investigating the attack. It's not a huge network, the project only requires about 5-6 devices in the internal network.

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎11-16-2023 10:21 PM

Hi @gayathrc ,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated by all the contributors 😉

0 Karma
Reply
Solved! Jump to solution

inventsekar
SplunkTrust
SplunkTrust
‎11-13-2023 04:32 PM

Hi @gayathrc ...Pls check this "Getting Data in" Splunk document.. this gives the steps of monitoring a network input (TCP / UDP). 

https://docs.splunk.com/Documentation/Splunk/9.1.1/Data/Monitornetworkports

 

upvotes / karma points appreciated, thanks. 

Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎11-12-2023 11:04 PM

Hi @gayathrc ,

I suppose that you already have your Splunk infrastrcuture, if not you have to engage a splunk architect to design it.

Anyway, are you speaking of Packet capture or network switches logs?

in the first case, you have to configure The Splunk App for Steam, for more datails see at 

https://splunkbase.splunk.com/app/1809

https://splunkbase.splunk.com/app/5234

https://splunkbase.splunk.com/app/5238

If instead you have to use Swirches logs, you have to configure one of the component of your Splunk infrastructure (usually an Heavy Forwarder) as receiver of network inputs (for more infos see at https://docs.splunk.com/Documentation/Splunk/9.1.1/Data/Monitornetworkports).

then you have to install the add-on related to your network technology (e.g. the Cisco Add-on for network technoogy https://splunkbase.splunk.com/app/1467) and then search for the fieds extracted.

If you don't have the basic knoledge about Splunk searching, see the Splunk Search Tutorial (https://docs.splunk.com/Documentation/Splunk/latest/SearchTutorial/WelcometotheSearchTutorial).

Ciao.

Giuseppe

Reply
Solved! Jump to solution

isoutamo
SplunkTrust
SplunkTrust
‎11-13-2023 02:01 AM

Hi

It's like @gcusello said, but I want to add one comment. You should never use splunk as an syslog receiver even it can do it. You will lose event more or less. It's much better to use real syslog servers to manage centralised syslog server. You you could use e.g. rsyslog, syslog-ng or SC4S (Syslog connector for splunk).

r. Ismo

Reply
Get Updates on the Splunk Community!

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Splunk Education Goes to Washington | Splunk GovSummit 2024

If you’re in the Washington, D.C. area, this is your opportunity to take your career and Splunk skills to the ...