Splunk Enterprise

How to setup HP Procurve switch to send logs to Splunk server?

jhl226116
Explorer

I have hard time getting logs from Procurve to the Splunk server. Any help would be greatly appreciated.

I can ping between the Splunk server and HP Procurve switch vice-versa, they are in the same subnet. No firewall is blocking the connection:

Indexer: 10.10.50.11
Forwarder2: 10.10.50.15

root@indexer:~# ping 10.10.50.3

PING 10.10.50.3 (10.10.50.3) 56(84) bytes of data.
64 bytes from 10.10.50.3: icmp_seq=1 ttl=255 time=0.873 ms
64 bytes from 10.10.50.3: icmp_seq=2 ttl=255 time=0.858 ms

root@indexer:/opt/splunk/bin# ./splunk display listen

Receiving is enabled on port 9997.

root@indexer:/opt/splunk/bin# ./splunk btool inputs list splunktcp --debug | grep -v default

/opt/splunk/etc/system/local/inputs.conf        host = indexer
/opt/splunk/etc/apps/launcher/local/inputs.conf [splunktcp://9997]
/opt/splunk/etc/apps/launcher/local/inputs.conf connection_host = ip
/opt/splunk/etc/system/local/inputs.conf        host = indexer

root@indexer:/opt/splunk/bin# ./splunk btool outputs list splunktcp --debug | grep -v default

root@indexer:/opt/splunk/bin# ./splunk list inputstatus

Cooked:tcp :
   9997:10.10.50.12:8089
       time opened = 2017-04-19T21:49:41+1000

   9997:10.10.50.15:8089
      time opened = 2017-04-21T19:19:01+1000

tcp_cooked:listenerports :
    9997

UDP:listenerports :
    514

root@indexer:/opt/splunk/bin#

root@forwarder2:~# netstat -tulpn

Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      3824/sshd       
tcp        0      0 0.0.0.0:8089            0.0.0.0:*               LISTEN      4304/splunkd    
tcp        0      0 127.0.1.1:53            0.0.0.0:*               LISTEN      896/dnsmasq     
tcp6       0      0 :::22                   :::*                    LISTEN      3824/sshd       
udp        0      0 0.0.0.0:514             0.0.0.0:*                           4304/splunkd    
udp        0      0 0.0.0.0:631             0.0.0.0:*                           8112/cups-browsed
udp        0      0 0.0.0.0:57978           0.0.0.0:*                           767/avahi-daemon: r
udp        0      0 0.0.0.0:5353            0.0.0.0:*                           767/avahi-daemon: r
udp        0      0 127.0.1.1:53            0.0.0.0:*                           896/dnsmasq     
udp        0      0 0.0.0.0:68              0.0.0.0:*                           883/dhclient    
udp6       0      0 :::46130                :::*                                767/avahi-daemon: r
udp6       0      0 :::5353                 :::*                                767/avahi-daemon: r

root@forwarder2:/opt/splunkforwarder/bin# ./splunk list forward-server

Active forwards:
    10.10.50.11:9997
Configured but inactive forwards:
    None

root@forwarder2:/opt/splunkforwarder/bin# ./splunk show deploy-poll

Deployment Server URI is set to "10.10.50.15:8089".

root@forwarder2:/opt/splunkforwarder/bin# ./splunk add udp 514 -sourcetype hp:switch

Listening for UDP input on port 514.

root@forwarder:/opt/splunkforwarder/bin# ./splunk add forward-server 10.10.50.11:9997

10.10.50.11:9997 forwarded-server already present
Listening port 9997 has already been enable on the indexer. 

What other information do you need from me and where do I go from here?

0 Karma

wvmjhritz
New Member

That's what we started using it for. Make sure that you've configured your Procurve switches to forward their logs to your Splunk server. On each switch, use the command:

logging (spunk server IP address)

Hope this helps...

0 Karma

jhl226116
Explorer

I forgot to mention that was already done. Thanks,

logging 10.10.50.11

How do I verifiy that I'm getting the logs from HP Procurve Switch? What commands do you need to run to determine whether logs are being received or not?

0 Karma

jhl226116
Explorer

actually I got it working, strange it didn't work but I didn't do anything more than configuring logging it again in the switch maybe I fogot to wr mem. Anyways looks good now.
I will try some dodgy router next.

0 Karma

woodcock
Esteemed Legend

Don't forget to click Accept on this answer!

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...