Hello guys,
I am very new to splunk enterprise so please bear with me...
Just want some advice or getting started tips on how can I use splunk in company router for its event analysis.
Is there any specific configuration should I add to my router?
Hi @rahaf94 ,
in addition to the indication from @PickleRick about how to take logs from a router (the input phase), I hint to find in Splunkbase (apps.splunk.com) the Technology Add-On (TA) for the router you're using so you'll have also the parsiong phase alrwady configured and you have only to use the logs you're indexing.
In Splunkbase you could also find an app for your router.
Ciao.
Giuseppe
I have different devices:
Cisco Router
DMZ switch
F5
It depends on what router you have and what you like to monitor.
What router do you have?
It is Cisco Router
Then Syslog is the way to go. What that you can send all logs to Splunk.
Splunk can listen on port 514 and get syslog in, but to do that, you need to run Syslog as root. Not recomended.
Use Rsyslog as a Syslog receiver and send it to Splunk.
See my example on how to setup Splunk as a non-root user and rsyslog here::
https://forum.mikrotik.com/viewtopic.php?p=888802#p888802
It depends on the device you want to ingest logs from.
One thing is the protocol - with network devices usually syslog is used to send events from a router/firewall/switch/lb/whatevet to a syslog receiver. It's usually good to have a separate syslog-processing solution (sc4s, rsyslog) pushing events to splunk via HEC or storing in files to be read by forwarder. But some apps for specific sources use other methods for obtaining at least some data (old checkpoints were notorious with their opsec lea, for example).
Another thing is that for some apps to work properly the source device must be configured so that it emits events in a proper format.
So it can be a simple topic but can get quite complicated.