Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Having Syslog logs into SPLUNK

siemsplunk
Explorer
‎07-16-2024 06:31 PM

We are in the process of data onboarding.

We managed to deploy a distributed architecture in which we have 3 indexers, 3 search, mastercluster, deployer, deployment, and 2 intermediate forwarders.

On my syslog server, I receive logs from the firewall through syslog port 10514 and I managed to install a forwarder into my syslog server connected to my deployment server.  and on my forwarder configuration file, I connect to all 2 intermediate forwarders

Now help me to finish this task, how can I manage to see the firewall logs in my Splunk? What do you think I should edit into my syslog server? Please remember I don't write the syslog logs(firewall) into a file. Its onstream logs

My forwarder inputs.conf file|

[udp://514]
connection_host = ip
index = tcra_firewall_idx
sourcetype = tcra:syslog:log

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Tom_Lundie
Contributor
‎07-16-2024 06:47 PM

Hi,

It sounds like you've made great progress, nice one.

There are multiple designs and opinions out there regarding getting syslog into Splunk. It's up to you to decide what's best.

To get you started there are tools such as Splunk Connect For Syslog which provides an "all in one" feel, you can also use a syslog service such as rsyslog or syslog-ng to listen for your logs and cache them to disk and then forward them via a monitor stanza in inputs.conf.

However, if you want Splunk to listen directly, here is an example inputs.conf that you can tweak for your deployment:

 

[udp://10514]
disabled = false
connection_host = ip
sourcetype = <<firewall_product>>
index = main

 

For sourcetype, look on Splunkbase for your firewall vendor to check if there is an appropriate TA that you can use for field extractions. For example palo-alto firewall would be pan_log

For index, pick an appropriate index to suit your needs.

Finally, inputs.conf can either be deployed within an app (recommended) or directly under /opt/splunk/etc/system/local/

Also, make sure that 10514 is permitted on the local firewall.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

siemsplunk
Explorer
‎07-16-2024 08:06 PM

Thanks for the help

I see the logs now,

I tried to use a different port to take the logs from syslog conf file.

source s_network {
udp(port(10514));
};

destination d_splunk {
udp("localhost" port(11514));
};

log {
source(s_network);
destination(d_splunk);
};


For this now I see the logs...


0 Karma
Reply
Solved! Jump to solution

siemsplunk
Explorer
‎07-16-2024 07:03 PM

@Tom_Lundie what about the syslog configuration? what should I do with it?

0 Karma
Reply
Solved! Jump to solution

Tom_Lundie
Contributor
‎07-16-2024 07:54 PM

I'm not sure what you're stuck with.

Ideally, would need to see your current configurations and error messages to support.

What configuration file(s) are you stuck with?
Are your _internal logs reaching the Indexers?
Are you getting any errors?

0 Karma
Reply
Solved! Jump to solution

siemsplunk
Explorer
‎07-16-2024 07:01 PM

Thank you so much for your help.

Am new to Splunk and I want really bad to master it. I will go and check the config as you said and I will let you know. 

0 Karma
Reply
Solved! Jump to solution
Solution

Tom_Lundie
Contributor
‎07-16-2024 06:47 PM

Hi,

It sounds like you've made great progress, nice one.

There are multiple designs and opinions out there regarding getting syslog into Splunk. It's up to you to decide what's best.

To get you started there are tools such as Splunk Connect For Syslog which provides an "all in one" feel, you can also use a syslog service such as rsyslog or syslog-ng to listen for your logs and cache them to disk and then forward them via a monitor stanza in inputs.conf.

However, if you want Splunk to listen directly, here is an example inputs.conf that you can tweak for your deployment:

 

[udp://10514]
disabled = false
connection_host = ip
sourcetype = <<firewall_product>>
index = main

 

For sourcetype, look on Splunkbase for your firewall vendor to check if there is an appropriate TA that you can use for field extractions. For example palo-alto firewall would be pan_log

For index, pick an appropriate index to suit your needs.

Finally, inputs.conf can either be deployed within an app (recommended) or directly under /opt/splunk/etc/system/local/

Also, make sure that 10514 is permitted on the local firewall.

0 Karma
Reply
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...