Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Is there any specific configuration should I add to my router?

rahaf94
Observer
‎07-02-2022 10:35 PM

Hello guys,

I am very new to splunk enterprise so please bear with me...

Just want some advice or getting started tips on how can I use splunk in company router for its event analysis.

Is there any specific configuration should I add to my router?

 

Labels (3)
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎07-03-2022 08:11 AM

Hi @rahaf94 ,

in addition to the indication from @PickleRick about how to take logs from a router (the input phase), I hint to find in Splunkbase (apps.splunk.com) the Technology Add-On (TA) for the router you're using so you'll have also the parsiong phase alrwady configured and you have only to use the logs you're indexing.

In Splunkbase you could also find an app for your router.

Ciao.

Giuseppe

0 Karma
Reply

rahaf94
Observer
‎07-04-2022 01:04 AM

I have different devices: 

Cisco Router 

DMZ switch

F5

0 Karma
Reply

jotne
Builder
‎07-03-2022 08:06 AM

It depends on what router you have and what you like to monitor.

What router do you have?

Tags (1)
0 Karma
Reply

rahaf94
Observer
‎07-04-2022 01:02 AM

It is Cisco Router 

0 Karma
Reply

jotne
Builder
‎07-04-2022 01:15 AM

Then Syslog is the way to go.  What that you can send all logs to Splunk.

Splunk can listen on port 514 and get syslog in, but to do that, you need to run Syslog as root.  Not recomended.

Use Rsyslog as a Syslog receiver and send it to Splunk.

See my example on how to setup Splunk as a non-root user and rsyslog here::

https://forum.mikrotik.com/viewtopic.php?p=888802#p888802

 

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎07-03-2022 04:06 AM

It depends on the device you want to ingest logs from.

One thing is the protocol - with network devices usually syslog is used to send events from a router/firewall/switch/lb/whatevet to a syslog receiver. It's usually good to have a separate syslog-processing solution (sc4s, rsyslog) pushing events to splunk via HEC or storing in files to be read by forwarder. But some apps for specific sources use other methods for obtaining at least some data (old checkpoints were notorious with their opsec lea, for example).

Another thing is that for some apps to work properly the source device must be configured so that it emits events in a proper format.

So it can be a simple topic but can get quite complicated.

0 Karma
Reply
Get Updates on the Splunk Community!

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...

State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...

For the past four years, Splunk has partnered with Enterprise Strategy Group to conduct a survey that gauges ...

Data-Driven Success: Splunk & Financial Services

Splunk streamlines the process of extracting insights from large volumes of data. In this fast-paced world, ...