Splunk Enterprise Security

How to create an Index in splunk to send data through TCP port

Mukunda7
Explorer

We have some firewall devices sending data to one index previously. Now I have to create new index for some of the devices to send data through TCP port. I'm unable to find old index and I'm not sure how to configure data to send to TCP port through splunk main server. Index is created in master node and i have provided bucket sizes but what should be done next?

Please guide steps to configure as it is very important task for me.

Labels (3)
0 Karma

Mukunda7
Explorer

I have already added indexes.conf and I can see new index created but I'm stuck how inputs.conf and outputs.conf can be cloned from previous index and need next steps clearly. If possible help me on that which is helpful...

0 Karma

isoutamo
SplunkTrust
SplunkTrust

You need some TCP listener to receive syslog messages from network devices. Even splunk can do it, I don't propose to use it. It's better to use any real syslog server or SC4S (Splunk Connect for Syslog) https://splunkbase.splunk.com/app/4740/

Just read and follow those instructions and you will get events to splunk.

If you want to use traditional way to set up tcp listener for syslog message you can found instructions with google. But remember that you will lost some messages with listening udp/tcp port with splunk and if you are using standard ports 514 you must run splunk as root, which is against security practices. Otherwise use ports over 1024 and change your network equipments to send log to this port and prefer tcp over udp protocol.

r. Ismo

0 Karma

isoutamo
SplunkTrust
SplunkTrust

Based on your question I assume that you have indexer cluster in use with separate SH layer? 

I'm not sure if you have used Splunk volumes or not (I strongly propose to use those!)? If you are already using those then you should use it on path definition otherwise use SPLUNK_DB. 

In indexer cluster you have manager node or CM where those definitions are. Usually those should be on separate TA/app on own folder under /opt/splunk/etc/master-apps/<your TA/APP name>/default/indexes.conf. Other options is that those are under /opt/splunk/etc/master-apps/_cluster/local/indexes.conf. If you haven't any own indexes, then it could be that there are only _cluster/default/indexes.conf file, but don't use it (it could be overwritten when you are doing splunk version updates)! Just add a new file indexes.conf under local folder or even better to do your own app at the same level that _cluster is. Name it eg. my_indexes or what ever is your company naming policy.

The content of this indexes.conf file is something like this

[fw_audit]
repFactor = auto
tsidxWritingLevel = 4
journalCompression = zstd
frozenTimePeriodInSecs = 8208000
homePath = $SPLUNK_DB/$_index_name/db
coldPath = $SPLUNK_DB/$_index_name/colddb
summaryHomePath = $SPLUNK_DB/$_index_name/summary
tstatsHomePath  $SPLUNK_DB/$_index_name/datamodel_summary
maxTotalDataSizeMB = 5120
thawedPath = $SPLUNK_DB/fw_audit/thaweddb

 

After this is on place just do 

splunk apply cluster-bundle

on CM as user splunk (or what ever your splunk user is).

r. Ismo

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...