Splunk Dev

Data input configuration for UDP syslogs from sonicwall firewall

captainjak
New Member

Hi there,

I need your support to configure Splunk for our network security environment.
I have installed Splunk in our Windows 2012 Server. Splunk web was working fine. We need to add our Sonicwall firewall sys logs to Splunk add data input. Guide us to configure Data inputs and index data automatically.

0 Karma

adonio
Ultra Champion

@captainjak,
this seems to be getting a little out of hand ...
kindly read the documentation on how to on-board data in splunk as well as other relevant documents.
here are the list of steps for a single splunk instance WITHOUT using syslog server
1. enable listening to relevant port
2. define a sourcetype - in your case, it can be from the Dell Sonic Wall TA and app https://splunkbase.splunk.com/app/4544/ https://splunkbase.splunk.com/app/4507/
3. define the index the data will be stored at
4. look at the data by searching from splunk GUI index=<your index>
5. good luck

vsingla1
Communicator

@captainjak You can use Linux's native rsyslog utility to ingest syslogs data from your firewall. This syslog utility can be configured to listen on a UDP OR TCP port, and then write the data to a local server's directory. Then install a Splunk UF on this Linux Server and subsequently configure monitor stanzas on this UF's inputs.conf to read the files from local directory and send it to splunk indexers.
If your Splunk enterprise is running on Windows Server, you can still configure Splunk UF on Linux server to send data to Splunk indexers on Windows server.
You may want to check this blog as well: https://www.function1.com/2012/05/syslog-collection-with-splunk

captainjak
New Member

Hi,

Thanks for your reply vsingla1. Your answer was helpful somehow. But, I got stuck at data indexing in windows server. My Splunk setup was running on Windows server, Can I install Syslog server in same Windows server. And configure the log directory in "Continuously monitor " in Splunk with UDP port 515. Guide me to complete the configuration and smooth running.

0 Karma

vsingla1
Communicator

When you say your splunk setup is running on windows server, exactly what component of splunk are you running on Windows Server? Is that component the UF, indexer or Search head?
Also, I am not familiar with using syslog on Windows server to capture the firewall logs. But I can certainly warrant for the native syslog utility on Linux servers to collect and forward data to the indexers.
What I am trying to say here is, you will want to have your firewall syslog data to a Linux server (that has splunk UF installed on it). This UF will then subsequently send data to the indexer (which I believe can be a windows indexer in your case).
Seems you are trying to use the UI to configure data inputs (like in "Continuously monitor"). Rather than that, use deployment server to push inputs.conf on your splunk UF. You do not want to install syslog server on the indexer and monitor files from there, that is not a recommended approach.
Let me know if you have any questions on this set up.

0 Karma

captainjak
New Member

Hi,
Will explain briefly once.

  1. I've installed Splunk enterprise from Splunk website. I don't have an idea about the component like UF, indexer, search head. Wheather how to find which component is running?? I think it is Indexer which will display log messages. 2.As you suggested to use Linux server for both forward and indexing in the same server or do we need two. If we can install in single Linux server, pls provide any useful link for installation and to add data input.
  2. How to configure the inputs.conf file to receive logs from the firewall. Will it update logs dynamically.

mail to: jakir.shaik@stltech.in

0 Karma

vsingla1
Communicator

@captainjak If yours is a small installation and not many users, Indexing/Searching can be done on one server. But forwarding needs to be definitely on a different server. But Ideally, I like all three layers - forwarding, indexing and searching - on separate servers. also my preference is Linux over Windows.

To configure inputs.conf, you would also need a 4th server called as deployment server to push inputs.conf to the Splunk UFs.
For more details on configuring inputs.conf for syslog, check these links: http://www.georgestarcher.com/splunk-success-with-syslog/
https://docs.splunk.com/Documentation/Splunk/7.3.1/Updating/Exampleaddaninputtoforwarders

0 Karma

captainjak
New Member

Hi @vsingla1

thanks for your response. We are almost close to index firewall logs. but a small link is missing somewhere we are unable to find out.
The Indexer, UF, searching are in same single Linux server. Rsyslog server is configured in Linux server.
Splunk enterprise setup is working fine it is showing the logs only from local
Linux server which we have configured UF and Rsyslog server. our Sonicwall firewall logs are also coming to server from firewall. But we are unable to index the files in Splunk.
Need support.

0 Karma

vsingla1
Communicator

Have you configured /etc/rsyslog.conf to route firewall syslog data to a local folder on the Linux server? If so, where are your firewall syslogs collected on the Linux Server? I mean which directory? Subsequently check if you have placed the monitor stanzas in inputs.conf(in Splunk UF) to capture files under that directory.

0 Karma

vsingla1
Communicator

@captainjak I believe that all your questions have been answered. Can you confirm either way?

0 Karma

captainjak
New Member

Thanks @vsingla1 for your support.
I'm receiving the logs via udp:514 port by configuring the data input UDP ports.
Now a new error is showing here it is

Unable to search the indexed data due to license limit violation errors. How can we get back and limit the input data to not to exceed to 500mb per day.

0 Karma

captainjak
New Member

HI @vsingla1 ,
Thanks for your response. All set in our environment. But one small thing is missing.
We have installed Splunk Enterprise& Splunk UF on same Linux server. And configured in our firewall to send the syslogs to same Linux server. Our Splunk indexer is showing the logs of local Linux server logs fine, but unable to display/index the firewalled syslogs. Syslogs from firewall are coming to the device we have done a packet capture test on the server, it showed all the incoming syslog traffic to Linux server.
Just a small step away from displaying those logs. but unable to find it. Need support.

0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

Industry Solutions for Supply Chain and OT, Amazon Use Cases, Plus More New Articles ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...