Hi there,
I need your support to configure Splunk for our network security environment.
I have installed Splunk in our Windows 2012 Server. Splunk web was working fine. We need to add our Sonicwall firewall sys logs to Splunk add data input. Guide us to configure Data inputs and index data automatically.
@captainjak,
this seems to be getting a little out of hand ...
kindly read the documentation on how to on-board data in splunk as well as other relevant documents.
here are the list of steps for a single splunk instance WITHOUT using syslog server
1. enable listening to relevant port
2. define a sourcetype - in your case, it can be from the Dell Sonic Wall TA and app https://splunkbase.splunk.com/app/4544/ https://splunkbase.splunk.com/app/4507/
3. define the index the data will be stored at
4. look at the data by searching from splunk GUI index=<your index>
5. good luck
@captainjak You can use Linux's native rsyslog utility to ingest syslogs data from your firewall. This syslog utility can be configured to listen on a UDP OR TCP port, and then write the data to a local server's directory. Then install a Splunk UF on this Linux Server and subsequently configure monitor stanzas on this UF's inputs.conf to read the files from local directory and send it to splunk indexers.
If your Splunk enterprise is running on Windows Server, you can still configure Splunk UF on Linux server to send data to Splunk indexers on Windows server.
You may want to check this blog as well: https://www.function1.com/2012/05/syslog-collection-with-splunk
Hi,
Thanks for your reply vsingla1. Your answer was helpful somehow. But, I got stuck at data indexing in windows server. My Splunk setup was running on Windows server, Can I install Syslog server in same Windows server. And configure the log directory in "Continuously monitor " in Splunk with UDP port 515. Guide me to complete the configuration and smooth running.
When you say your splunk setup is running on windows server, exactly what component of splunk are you running on Windows Server? Is that component the UF, indexer or Search head?
Also, I am not familiar with using syslog on Windows server to capture the firewall logs. But I can certainly warrant for the native syslog utility on Linux servers to collect and forward data to the indexers.
What I am trying to say here is, you will want to have your firewall syslog data to a Linux server (that has splunk UF installed on it). This UF will then subsequently send data to the indexer (which I believe can be a windows indexer in your case).
Seems you are trying to use the UI to configure data inputs (like in "Continuously monitor"). Rather than that, use deployment server to push inputs.conf on your splunk UF. You do not want to install syslog server on the indexer and monitor files from there, that is not a recommended approach.
Let me know if you have any questions on this set up.
Hi,
Will explain briefly once.
mail to: jakir.shaik@stltech.in
@captainjak If yours is a small installation and not many users, Indexing/Searching can be done on one server. But forwarding needs to be definitely on a different server. But Ideally, I like all three layers - forwarding, indexing and searching - on separate servers. also my preference is Linux over Windows.
To configure inputs.conf, you would also need a 4th server called as deployment server to push inputs.conf to the Splunk UFs.
For more details on configuring inputs.conf for syslog, check these links: http://www.georgestarcher.com/splunk-success-with-syslog/
https://docs.splunk.com/Documentation/Splunk/7.3.1/Updating/Exampleaddaninputtoforwarders
Hi @vsingla1
thanks for your response. We are almost close to index firewall logs. but a small link is missing somewhere we are unable to find out.
The Indexer, UF, searching are in same single Linux server. Rsyslog server is configured in Linux server.
Splunk enterprise setup is working fine it is showing the logs only from local
Linux server which we have configured UF and Rsyslog server. our Sonicwall firewall logs are also coming to server from firewall. But we are unable to index the files in Splunk.
Need support.
Have you configured /etc/rsyslog.conf to route firewall syslog data to a local folder on the Linux server? If so, where are your firewall syslogs collected on the Linux Server? I mean which directory? Subsequently check if you have placed the monitor stanzas in inputs.conf(in Splunk UF) to capture files under that directory.
@captainjak I believe that all your questions have been answered. Can you confirm either way?
Thanks @vsingla1 for your support.
I'm receiving the logs via udp:514 port by configuring the data input UDP ports.
Now a new error is showing here it is
Unable to search the indexed data due to license limit violation errors. How can we get back and limit the input data to not to exceed to 500mb per day.
HI @vsingla1 ,
Thanks for your response. All set in our environment. But one small thing is missing.
We have installed Splunk Enterprise& Splunk UF on same Linux server. And configured in our firewall to send the syslogs to same Linux server. Our Splunk indexer is showing the logs of local Linux server logs fine, but unable to display/index the firewalled syslogs. Syslogs from firewall are coming to the device we have done a packet capture test on the server, it showed all the incoming syslog traffic to Linux server.
Just a small step away from displaying those logs. but unable to find it. Need support.