Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Is there any specific configuration should I add to my router?

rahaf94
Observer
‎07-02-2022 10:35 PM

Hello guys,

I am very new to splunk enterprise so please bear with me...

Just want some advice or getting started tips on how can I use splunk in company router for its event analysis.

Is there any specific configuration should I add to my router?

 

Labels (3)
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎07-03-2022 08:11 AM

Hi @rahaf94 ,

in addition to the indication from @PickleRick about how to take logs from a router (the input phase), I hint to find in Splunkbase (apps.splunk.com) the Technology Add-On (TA) for the router you're using so you'll have also the parsiong phase alrwady configured and you have only to use the logs you're indexing.

In Splunkbase you could also find an app for your router.

Ciao.

Giuseppe

0 Karma
Reply

rahaf94
Observer
‎07-04-2022 01:04 AM

I have different devices: 

Cisco Router 

DMZ switch

F5

0 Karma
Reply

jotne
Builder
‎07-03-2022 08:06 AM

It depends on what router you have and what you like to monitor.

What router do you have?

Tags (1)
0 Karma
Reply

rahaf94
Observer
‎07-04-2022 01:02 AM

It is Cisco Router 

0 Karma
Reply

jotne
Builder
‎07-04-2022 01:15 AM

Then Syslog is the way to go.  What that you can send all logs to Splunk.

Splunk can listen on port 514 and get syslog in, but to do that, you need to run Syslog as root.  Not recomended.

Use Rsyslog as a Syslog receiver and send it to Splunk.

See my example on how to setup Splunk as a non-root user and rsyslog here::

https://forum.mikrotik.com/viewtopic.php?p=888802#p888802

 

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎07-03-2022 04:06 AM

It depends on the device you want to ingest logs from.

One thing is the protocol - with network devices usually syslog is used to send events from a router/firewall/switch/lb/whatevet to a syslog receiver. It's usually good to have a separate syslog-processing solution (sc4s, rsyslog) pushing events to splunk via HEC or storing in files to be read by forwarder. But some apps for specific sources use other methods for obtaining at least some data (old checkpoints were notorious with their opsec lea, for example).

Another thing is that for some apps to work properly the source device must be configured so that it emits events in a proper format.

So it can be a simple topic but can get quite complicated.

0 Karma
Reply
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...