Splunk Enterprise

Is there any specific configuration should I add to my router?

rahaf94
Observer

Hello guys,

I am very new to splunk enterprise so please bear with me...

Just want some advice or getting started tips on how can I use splunk in company router for its event analysis.

Is there any specific configuration should I add to my router?

 

Labels (3)
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @rahaf94 ,

in addition to the indication from @PickleRick about how to take logs from a router (the input phase), I hint to find in Splunkbase (apps.splunk.com) the Technology Add-On (TA) for the router you're using so you'll have also the parsiong phase alrwady configured and you have only to use the logs you're indexing.

In Splunkbase you could also find an app for your router.

Ciao.

Giuseppe

0 Karma

rahaf94
Observer

I have different devices: 

Cisco Router 

DMZ switch

F5

0 Karma

jotne
Builder

It depends on what router you have and what you like to monitor.

What router do you have?

Tags (1)
0 Karma

rahaf94
Observer

It is Cisco Router 

0 Karma

jotne
Builder

Then Syslog is the way to go.  What that you can send all logs to Splunk.

Splunk can listen on port 514 and get syslog in, but to do that, you need to run Syslog as root.  Not recomended.

Use Rsyslog as a Syslog receiver and send it to Splunk.

See my example on how to setup Splunk as a non-root user and rsyslog here::

https://forum.mikrotik.com/viewtopic.php?p=888802#p888802

 

0 Karma

PickleRick
SplunkTrust
SplunkTrust

It depends on the device you want to ingest logs from.

One thing is the protocol - with network devices usually syslog is used to send events from a router/firewall/switch/lb/whatevet to a syslog receiver. It's usually good to have a separate syslog-processing solution (sc4s, rsyslog) pushing events to splunk via HEC or storing in files to be read by forwarder. But some apps for specific sources use other methods for obtaining at least some data (old checkpoints were notorious with their opsec lea, for example).

Another thing is that for some apps to work properly the source device must be configured so that it emits events in a proper format.

So it can be a simple topic but can get quite complicated.

0 Karma
Get Updates on the Splunk Community!

Index This | Divide 100 by half. What do you get?

November 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

❄️ Celebrate the season with our December lineup of Community Office Hours, Tech Talks, and Webinars! ...

Splunk and Fraud

Watch Now!Watch an insightful webinar where we delve into the innovative approaches to solving fraud using the ...