Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

firewall logs

mohammadnreda
New Member
‎05-27-2024 06:13 AM

hello every one

i had sangfor firewall, and there is no addon on splunk for it,

so what is the method to get firewall logs on splunk

thanks

Labels (1)
Labels
0 Karma
Reply

emdaax
Explorer
‎05-27-2024 06:44 AM

Hi @mohammadnreda,

I would recommend following some general steps to ingest your logs via Syslog. There are multiple ways to get Syslog data into Splunk, and the current best practice is to use "Splunk Connect for Syslog (SC4S)." This is a containerized Syslog-ng server with a configuration framework designed to simplify the process of getting Syslog data into both Splunk Enterprise and Splunk Cloud.

If you already have a dedicated Syslog server (such as rsyslog or Syslog-ng), you simply need to enable Syslog forwarding from your Sangfor Firewall to the Syslog collector. From there, use a Universal Forwarder instance to read and forward your Syslogs to an indexer.

Some useful links:

 

There is also an older post about Sangfor Firewall (answered by gcusello) that might be helpful for you:

 

best regards,

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎05-27-2024 06:24 AM

Hi @mohammadnreda,

I suppose that you're receivig your firewall logs by syslog.

So you have to create your custom add-on to parse your logs.

If you need to use them in ES or ITSI you have also to nomalize them and the Splunk Add-On Builder (https://splunkbase.splunk.com/app/2962) can help you in normalization.

If instead you have only tro monitor your firewalls, you can only parse your logs to extract all the relevant fields to use in dashboards.

Anyway, my hint is to normalize your logs to have a custom CIM 4.x compliant add-on.

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Monitoring MariaDB and MySQL

In a previous post, we explored monitoring PostgreSQL and general best practices around which metrics to ...

Financial Services Industry Use Cases, ITSI Best Practices, and More New Articles ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Splunk Federated Analytics for Amazon Security Lake

Thursday, November 21, 2024  |  11AM PT / 2PM ET Register Now Join our session to see the technical ...