Splunk Enterprise Security

How to create an Index in splunk to send data through TCP port

Mukunda7
Explorer

We have some firewall devices sending data to one index previously. Now I have to create new index for some of the devices to send data through TCP port. I'm unable to find old index and I'm not sure how to configure data to send to TCP port through splunk main server. Index is created in master node and i have provided bucket sizes but what should be done next?

Please guide steps to configure as it is very important task for me.

Labels (3)
0 Karma

Mukunda7
Explorer

I have already added indexes.conf and I can see new index created but I'm stuck how inputs.conf and outputs.conf can be cloned from previous index and need next steps clearly. If possible help me on that which is helpful...

0 Karma

isoutamo
SplunkTrust
SplunkTrust

You need some TCP listener to receive syslog messages from network devices. Even splunk can do it, I don't propose to use it. It's better to use any real syslog server or SC4S (Splunk Connect for Syslog) https://splunkbase.splunk.com/app/4740/

Just read and follow those instructions and you will get events to splunk.

If you want to use traditional way to set up tcp listener for syslog message you can found instructions with google. But remember that you will lost some messages with listening udp/tcp port with splunk and if you are using standard ports 514 you must run splunk as root, which is against security practices. Otherwise use ports over 1024 and change your network equipments to send log to this port and prefer tcp over udp protocol.

r. Ismo

0 Karma

isoutamo
SplunkTrust
SplunkTrust

Based on your question I assume that you have indexer cluster in use with separate SH layer? 

I'm not sure if you have used Splunk volumes or not (I strongly propose to use those!)? If you are already using those then you should use it on path definition otherwise use SPLUNK_DB. 

In indexer cluster you have manager node or CM where those definitions are. Usually those should be on separate TA/app on own folder under /opt/splunk/etc/master-apps/<your TA/APP name>/default/indexes.conf. Other options is that those are under /opt/splunk/etc/master-apps/_cluster/local/indexes.conf. If you haven't any own indexes, then it could be that there are only _cluster/default/indexes.conf file, but don't use it (it could be overwritten when you are doing splunk version updates)! Just add a new file indexes.conf under local folder or even better to do your own app at the same level that _cluster is. Name it eg. my_indexes or what ever is your company naming policy.

The content of this indexes.conf file is something like this

[fw_audit]
repFactor = auto
tsidxWritingLevel = 4
journalCompression = zstd
frozenTimePeriodInSecs = 8208000
homePath = $SPLUNK_DB/$_index_name/db
coldPath = $SPLUNK_DB/$_index_name/colddb
summaryHomePath = $SPLUNK_DB/$_index_name/summary
tstatsHomePath  $SPLUNK_DB/$_index_name/datamodel_summary
maxTotalDataSizeMB = 5120
thawedPath = $SPLUNK_DB/fw_audit/thaweddb

 

After this is on place just do 

splunk apply cluster-bundle

on CM as user splunk (or what ever your splunk user is).

r. Ismo

0 Karma
Get Updates on the Splunk Community!

Observability Highlights | November 2022 Newsletter

 November 2022Observability CloudEnd Of Support Extension for SignalFx Smart AgentSplunk is extending the End ...

Avoid Certificate Expiry Issues in Splunk Enterprise with Certificate Assist

This blog post is part 2 of 4 of a series on Splunk Assist. Click the links below to see the other ...

Using Machine Learning for Hunting Security Threats

REGISTER NOW Seeing the exponential hike in global cyber threat spectrum, organizations are now striving more ...