Monitoring Splunk

Logging in Splunk Enterprise

gayathrc
Engager

Hi! This is a very basic question. First time working with Splunk Enterprise Platform.

How do you actually go about switching on the feature to log network traffic coming into an internal network with a specific IP range? I essentially want for Splunk Enterprise to act as a logger for all traffic that enters the internal network on a certain port, for example. How do I go about it?

FYI - I do not want to use the Forwarder or upload log files function.

Labels (1)
0 Karma
1 Solution

inventsekar
SplunkTrust
SplunkTrust

Hi @gayathrc ... I believe you have some network devices, you want to monitor/send the network devices logs to Splunk. 

if so, you may use a syslog tool, to forward the logs to a "heavy forwarder"(HF), and then, from HF, you can send the logs to Splunk indexer. 

if this is just a small POC project or use-case testing, then, you can achieve it without HF(or even without syslog)(but there will be data loss issues).

Please provide some more details about the requirements, thanks.   

View solution in original post

0 Karma

inventsekar
SplunkTrust
SplunkTrust

Hi @gayathrc ... I believe you have some network devices, you want to monitor/send the network devices logs to Splunk. 

if so, you may use a syslog tool, to forward the logs to a "heavy forwarder"(HF), and then, from HF, you can send the logs to Splunk indexer. 

if this is just a small POC project or use-case testing, then, you can achieve it without HF(or even without syslog)(but there will be data loss issues).

Please provide some more details about the requirements, thanks.   

0 Karma

gayathrc
Engager

Hi @inventsekar - you guessed it right! I'm only looking to use Splunk for a small Network Forensics project where I need to demo an attack on an internal network. For this purpose, I need to log the events and ensure that one such events sends out an Event Alert from Splunk. This will aid in investigating the attack. It's not a huge network, the project only requires about 5-6 devices in the internal network.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @gayathrc ,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated by all the contributors 😉

0 Karma

inventsekar
SplunkTrust
SplunkTrust

Hi @gayathrc ...Pls check this "Getting Data in" Splunk document.. this gives the steps of monitoring a network input (TCP / UDP). 

https://docs.splunk.com/Documentation/Splunk/9.1.1/Data/Monitornetworkports

 

upvotes / karma points appreciated, thanks. 

gcusello
SplunkTrust
SplunkTrust

Hi @gayathrc ,

I suppose that you already have your Splunk infrastrcuture, if not you have to engage a splunk architect to design it.

Anyway, are you speaking of Packet capture or network switches logs?

in the first case, you have to configure The Splunk App for Steam, for more datails see at 

https://splunkbase.splunk.com/app/1809

https://splunkbase.splunk.com/app/5234

https://splunkbase.splunk.com/app/5238

If instead you have to use Swirches logs, you have to configure one of the component of your Splunk infrastructure (usually an Heavy Forwarder) as receiver of network inputs (for more infos see at https://docs.splunk.com/Documentation/Splunk/9.1.1/Data/Monitornetworkports).

then you have to install the add-on related to your network technology (e.g. the Cisco Add-on for network technoogy https://splunkbase.splunk.com/app/1467) and then search for the fieds extracted.

If you don't have the basic knoledge about Splunk searching, see the Splunk Search Tutorial (https://docs.splunk.com/Documentation/Splunk/latest/SearchTutorial/WelcometotheSearchTutorial).

Ciao.

Giuseppe

isoutamo
SplunkTrust
SplunkTrust

Hi

It's like @gcusello said, but I want to add one comment. You should never use splunk as an syslog receiver even it can do it. You will lose event more or less. It's much better to use real syslog servers to manage centralised syslog server. You you could use e.g. rsyslog, syslog-ng or SC4S (Syslog connector for splunk).

r. Ismo

Get Updates on the Splunk Community!

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation

As of Splunk Cloud Platform 9.3.2408 and Splunk Enterprise 9.4, classic dashboard export features are now ...