Splunk Enterprise
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Is there any specific configuration should I add to my router?

rahaf94
Observer
‎07-02-2022 10:35 PM

Hello guys,

I am very new to splunk enterprise so please bear with me...

Just want some advice or getting started tips on how can I use splunk in company router for its event analysis.

Is there any specific configuration should I add to my router?

 

Labels (2)
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎07-03-2022 08:11 AM

Hi @rahaf94 ,

in addition to the indication from @PickleRick about how to take logs from a router (the input phase), I hint to find in Splunkbase (apps.splunk.com) the Technology Add-On (TA) for the router you're using so you'll have also the parsiong phase alrwady configured and you have only to use the logs you're indexing.

In Splunkbase you could also find an app for your router.

Ciao.

Giuseppe

0 Karma
Reply

rahaf94
Observer
‎07-04-2022 01:04 AM

I have different devices: 

Cisco Router 

DMZ switch

F5

0 Karma
Reply

jotne
Builder
‎07-03-2022 08:06 AM

It depends on what router you have and what you like to monitor.

What router do you have?

Tags (1)
0 Karma
Reply

rahaf94
Observer
‎07-04-2022 01:02 AM

It is Cisco Router 

0 Karma
Reply

jotne
Builder
‎07-04-2022 01:15 AM

Then Syslog is the way to go.  What that you can send all logs to Splunk.

Splunk can listen on port 514 and get syslog in, but to do that, you need to run Syslog as root.  Not recomended.

Use Rsyslog as a Syslog receiver and send it to Splunk.

See my example on how to setup Splunk as a non-root user and rsyslog here::

https://forum.mikrotik.com/viewtopic.php?p=888802#p888802

 

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎07-03-2022 04:06 AM

It depends on the device you want to ingest logs from.

One thing is the protocol - with network devices usually syslog is used to send events from a router/firewall/switch/lb/whatevet to a syslog receiver. It's usually good to have a separate syslog-processing solution (sc4s, rsyslog) pushing events to splunk via HEC or storing in files to be read by forwarder. But some apps for specific sources use other methods for obtaining at least some data (old checkpoints were notorious with their opsec lea, for example).

Another thing is that for some apps to work properly the source device must be configured so that it emits events in a proper format.

So it can be a simple topic but can get quite complicated.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Mobile: Your Brand-New Home Screen

Meet Your New Mobile Hub  Hello Splunk Community!  Staying connected to your data—no matter where you are—is ...

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Real progress on your strategic priorities starts with knowing the business outcomes your teams are delivering ...

Enterprise Security (ES) Essentials 8.3 is Now GA — Smarter Detections, Faster ...

As of today, Enterprise Security (ES) Essentials 8.3 is now generally available, helping SOC teams simplify ...