Splunk Search

How to get forwarded data into Splunk Enterprise?

eholz1
Contributor

Hello Members,

I have a basic question - I am not sure how to get data into splunk, into a custom index, use a source type, and then exrract fields. I have the add-0n installed for Cisco network devices, but not sure it is the correct app to use for my case.

I have a remote syslog server (running rsyslog) that builds log files for cisco switches and routers.

I have a universal forwarder installed on the syslog server, it forwards data to splunk IF I configure it

correctly.  I have tried configuring the Splunk receiver two ways: one using the "Forwarding and receiving" option from the "DATA" area - this works - but only allows showing data from the host sending the log info. And uses only 1 port, I am using 9997.

I have not seen how to set a data source or source type for the incoming data.

 

The second way seems to be using the "Data Inputs" part of the "DATA" area.  This seems to not be possible, as the data is coming from a Universaly forwarder not a Splunk Enterprise configured as a forwarder.

 

How can I assign a source type and index to the data that does come in from the host that is configured with port 997 as a receiver?  Sorry for such a confusing question,

Regards,

eholz1

 

 

Labels (1)
0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi @eholz1,

let me understand:

  • you have an rsyslog server that receives data from cisco routers and switches and writes them in files,
  • you installed a Forwarder (Universal or Heavy?) on the syslog server,
  • You configured your Forwarder to send data to the Indexer,
  • you created an input that reads the files written by the rsyslog server,
  • you installed the Cisco-Add-On on the Forwarder,

Is this correct?

Now I have some additional questions?

  • data are written in files in the Forwarder?
  • did you installed the Cisco-Add-On also on Indexers and Search Heads?
  • Do you have data in Indexers?
  • are they correctly parsed?

As you can easily understand, I described the steps to configure the syslog input using rsyslog server.

Ciao.

Giuseppe

View solution in original post

gcusello
SplunkTrust
SplunkTrust

Hi @eholz1,

let me understand:

  • you have an rsyslog server that receives data from cisco routers and switches and writes them in files,
  • you installed a Forwarder (Universal or Heavy?) on the syslog server,
  • You configured your Forwarder to send data to the Indexer,
  • you created an input that reads the files written by the rsyslog server,
  • you installed the Cisco-Add-On on the Forwarder,

Is this correct?

Now I have some additional questions?

  • data are written in files in the Forwarder?
  • did you installed the Cisco-Add-On also on Indexers and Search Heads?
  • Do you have data in Indexers?
  • are they correctly parsed?

As you can easily understand, I described the steps to configure the syslog input using rsyslog server.

Ciao.

Giuseppe

eholz1
Contributor

Hello and thanks for the information,

I think I understand now. I am forwarding logs from my syslog server - using rsyslog. This is NOT a cisco device.

So, I will guess that using a source type of "cisco:ios" will not really give me the extraction for the IP address of a switch without using a field extraction from the event that comes from the syslog server.

But - if I should configure a switch or router to send its log files directly to splunk, and use the TA_cisco app or the cisco:ios source type the IP address would be available?>

Please clarify that for me.

thanks,

eholz1

 

 

Tags (3)
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @eholz1,

are you receiving syslogs in an Heavy or Universal Forwarder?

If Universal , you need to install TA only on indexer.

If instead you  are using an Heavy Forwarder, it cooks data so you need to install the TA also on the HF.

Then check if the sourcetype you're using is the one used in the TA.

Ciao.

Giuseppe

eholz1
Contributor

Hello Giuseppe,

Wow fast response. I am using a Universal Forwarder on the syslog server - it forwards logs created and formattted using rsyslog.

I do have the TA installed on the Splunk indexer.

I will double check settings to insure I am using the correct source type from the TA

0 Karma

eholz1
Contributor

Molto Grazie gusello,

I think I am also missing something about getting this to work...

I have a Universal Forwarder installed on the syslog server - uses rsyslog to write log files.

The syslog server/Universal forwarder does send data to the intexer but: I get garbage data - all

splunk-cooked-mode-v3 etc this is using a configuration set in inputs.conf

I do not have the cisco network app installed on the Universal Forwarder/syslog server.

I do have the cisco network app installed on the Splunk indexer.

 

I will go back and review my configuration,

thank you very much for the help.

 

0 Karma

Roy_9
Motivator

@eholz1 Since you said you have installed cisco add-on, did you get a chance to look at the inputs.conf and enable it? if it is not available you need to develop an inputs.conf where you need to mention monitor stanza with the path and add sourcetype and index manually.

eholz1
Contributor

Thanks for the response. It seems that I cannot configure an input with a  custom index and a source-type.

I have data coming in direct from the syslog server using this part of the DATA dialog window using port 9997:

eholz1_1-1658245990280.png

Thanks for the information,

eholz1

 

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...