Splunk Search

Splunk to capture data rather than receive

rb51
Explorer

hi all,

I am working on a PCI environment and need to get audit logs from Linux RHEL machines into Splunk.

LAN Segment A: Splunk
LAN Segment B: Target VMs
LAN Segment C: "proxy" syslog collector separated by 2x sets of FWs from LAN Seg A, 1x set FW LAN Seg B

I need to send logs from Target VMs to proxy syslog VM (I will configure and test this). Then I have to setup Splunk to collect all these logs from the proxy syslog, but the traffic direction can only be ONE way direction, i.e., from Splunk to the proxy VM.

My understanding is that when syslog is configured on devices it "sends" the data to Splunk (if data input config in place) rather than the other way round (Splunk listens to the syslog port).

Is this possible? Reading "Get data in" doc sounds like it is the other way round, i.e., always from target devices to Splunk.

Apologies for the dumb question.

Tags (1)
0 Karma
1 Solution

jwelch_splunk
Splunk Employee
Splunk Employee

A Splunk Universal Forwarder, which is what you would install on your Syslog Aggregater, is UNI-Directional Traffic to the Splunk Indexer.

That is to say the source is the Forwarder, the Destination is the Indexer.

The indexer does not source a connection to the fowarder ever, so therefore the traffic would not be bi-directional.

Now what it sounds like you are saying is you want the Splunk Indexer to reach out to the Syslog Aggregator to pull the data. This is not how Splunk works.

So some ideas around this would be an SSH Tunnel / Drive mappings etc.... All of which you would setup and maintain. It make is more complicated but there are ways you could "make this work".

My vote would be to get an exception in your policy to allow the Syslog Aggregator to be able to source traffic to the Splunk system and call it a day.

Okie

View solution in original post

0 Karma

jwelch_splunk
Splunk Employee
Splunk Employee

A Splunk Universal Forwarder, which is what you would install on your Syslog Aggregater, is UNI-Directional Traffic to the Splunk Indexer.

That is to say the source is the Forwarder, the Destination is the Indexer.

The indexer does not source a connection to the fowarder ever, so therefore the traffic would not be bi-directional.

Now what it sounds like you are saying is you want the Splunk Indexer to reach out to the Syslog Aggregator to pull the data. This is not how Splunk works.

So some ideas around this would be an SSH Tunnel / Drive mappings etc.... All of which you would setup and maintain. It make is more complicated but there are ways you could "make this work".

My vote would be to get an exception in your policy to allow the Syslog Aggregator to be able to source traffic to the Splunk system and call it a day.

Okie

0 Karma

rb51
Explorer

Okie,

Thanks for replying.

I will have to setup a collector on LAN segment C, and have a scheduled task from Splunk to collect the logs from the collector via SSH and monitor that directory.

Hopefully this will meet the requirements.

thanks ric

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...