Monitoring Splunk

Logging in Splunk Enterprise

gayathrc
Engager

Hi! This is a very basic question. First time working with Splunk Enterprise Platform.

How do you actually go about switching on the feature to log network traffic coming into an internal network with a specific IP range? I essentially want for Splunk Enterprise to act as a logger for all traffic that enters the internal network on a certain port, for example. How do I go about it?

FYI - I do not want to use the Forwarder or upload log files function.

Labels (1)
0 Karma
1 Solution

inventsekar
SplunkTrust
SplunkTrust

Hi @gayathrc ... I believe you have some network devices, you want to monitor/send the network devices logs to Splunk. 

if so, you may use a syslog tool, to forward the logs to a "heavy forwarder"(HF), and then, from HF, you can send the logs to Splunk indexer. 

if this is just a small POC project or use-case testing, then, you can achieve it without HF(or even without syslog)(but there will be data loss issues).

Please provide some more details about the requirements, thanks.   

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !

View solution in original post

0 Karma

inventsekar
SplunkTrust
SplunkTrust

Hi @gayathrc ... I believe you have some network devices, you want to monitor/send the network devices logs to Splunk. 

if so, you may use a syslog tool, to forward the logs to a "heavy forwarder"(HF), and then, from HF, you can send the logs to Splunk indexer. 

if this is just a small POC project or use-case testing, then, you can achieve it without HF(or even without syslog)(but there will be data loss issues).

Please provide some more details about the requirements, thanks.   

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
0 Karma

gayathrc
Engager

Hi @inventsekar - you guessed it right! I'm only looking to use Splunk for a small Network Forensics project where I need to demo an attack on an internal network. For this purpose, I need to log the events and ensure that one such events sends out an Event Alert from Splunk. This will aid in investigating the attack. It's not a huge network, the project only requires about 5-6 devices in the internal network.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @gayathrc ,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated by all the contributors 😉

0 Karma

inventsekar
SplunkTrust
SplunkTrust

Hi @gayathrc ...Pls check this "Getting Data in" Splunk document.. this gives the steps of monitoring a network input (TCP / UDP). 

https://docs.splunk.com/Documentation/Splunk/9.1.1/Data/Monitornetworkports

 

upvotes / karma points appreciated, thanks. 

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !

gcusello
SplunkTrust
SplunkTrust

Hi @gayathrc ,

I suppose that you already have your Splunk infrastrcuture, if not you have to engage a splunk architect to design it.

Anyway, are you speaking of Packet capture or network switches logs?

in the first case, you have to configure The Splunk App for Steam, for more datails see at 

https://splunkbase.splunk.com/app/1809

https://splunkbase.splunk.com/app/5234

https://splunkbase.splunk.com/app/5238

If instead you have to use Swirches logs, you have to configure one of the component of your Splunk infrastructure (usually an Heavy Forwarder) as receiver of network inputs (for more infos see at https://docs.splunk.com/Documentation/Splunk/9.1.1/Data/Monitornetworkports).

then you have to install the add-on related to your network technology (e.g. the Cisco Add-on for network technoogy https://splunkbase.splunk.com/app/1467) and then search for the fieds extracted.

If you don't have the basic knoledge about Splunk searching, see the Splunk Search Tutorial (https://docs.splunk.com/Documentation/Splunk/latest/SearchTutorial/WelcometotheSearchTutorial).

Ciao.

Giuseppe

isoutamo
SplunkTrust
SplunkTrust

Hi

It's like @gcusello said, but I want to add one comment. You should never use splunk as an syslog receiver even it can do it. You will lose event more or less. It's much better to use real syslog servers to manage centralised syslog server. You you could use e.g. rsyslog, syslog-ng or SC4S (Syslog connector for splunk).

r. Ismo

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...