Splunk Search

Alert when firewall stops reporting to syslog

te25
Engager

Hello. 
I am working on creating an alert in Splunk for detecting when a firewall stops sending logs. We have all logs from firewalls forwarded to syslog in Splunk as sourcetype=pan:traffic . The problem is we have ha-pairs/ active and passive firewall and I don't see how to construct the query to check when BOTH firewalls (let's say active city-fw01 and passive city-fw02) don't send logs. We have more than 100 devices so I am using a lookup table with the list. 
Any idea would be great, thanks.

Labels (2)
0 Karma
1 Solution

livehybrid
SplunkTrust
SplunkTrust

Hi @te25 

This might work, it assumes the lookup has a list of firewalls with a "host" field:

| inputlookup firewall_lookup.csv 
| eval reported=0 
| append 
    [ search index=yourIndex sourcetype=pan:traffic earliest=-15m 
    | stats count by host 
    | eval reported=1 
    | fields firewall reported ] 
| stats max(reported) as reported by host 
| rex field=host "(?<pair>[^0-9]+)"
| stats sum(reported) as reporting_count, values(host) as firewalls by pair 
| where reporting_count=0 
| table pair firewalls

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

View solution in original post

0 Karma

isoutamo
SplunkTrust
SplunkTrust
0 Karma

livehybrid
SplunkTrust
SplunkTrust

Hi @te25 

This might work, it assumes the lookup has a list of firewalls with a "host" field:

| inputlookup firewall_lookup.csv 
| eval reported=0 
| append 
    [ search index=yourIndex sourcetype=pan:traffic earliest=-15m 
    | stats count by host 
    | eval reported=1 
    | fields firewall reported ] 
| stats max(reported) as reported by host 
| rex field=host "(?<pair>[^0-9]+)"
| stats sum(reported) as reporting_count, values(host) as firewalls by pair 
| where reporting_count=0 
| table pair firewalls

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Have your lookup return the common name for the ha pair and detect when the pair has not sent logs (recently)

0 Karma
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...