Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Syslog -- UF -- Indexer

splunklearner
Path Finder
‎11-07-2024 11:48 PM

Hi all,

We want to configure F5 WAF logs to Splunk. WAF team sending logs to our syslog server. In our syslog server UF is installed and it will forward the data to our indexer. 

Please help me with any detailed documentation or steps followed to ingest the data successfully and any troubleshooting if needed? Don't know what syslog is for me...

I am very new to Splunk and learning. Apologies if it is basic question. But seriously want to learn.

Labels (2)
Labels
0 Karma
Reply

splunklearner
Path Finder
‎11-08-2024 12:35 AM

1. What is FQDN? For what it is used? Where we need to give this? 

2. Why to install add-on in UF? Do UF don't forward these logs to our indexer by giving monitor stanza in inputs.conf and indexer IP address in outputs.conf in UF? 

3. How can we install add-on in UF (lighter package can't open in UI)? 

4. Which IP address are you referring to? Syslog server or UF?

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎11-08-2024 12:46 AM

Hi @splunklearner ,

to better understand how to use Forwarders to getting data in, please read https://docs.splunk.com/Documentation/Splunk/9.3.1/Data/Usingforwardingagents or search for related videos.

Anyway, answering to your questions:

1) FQDN is an option that you can add to your server.conf but it isn't mandatory, infact I didn't used in my answer,

2) The add-on is useful to start correct parsing in UFs, you have to install it both on UF and Search Head,
yes you can add the stanza in inputs.conf and the idexer address in outputs.conf, but you could have a not correct parsing.

To install an add-on on UF you have two choices:

4) The IP address I referred is the one that probably you have in the path where the F5 logs are written: in other words, usually rsyslog (or syslog-ng, I don't know what you're using) writes logs in a path and the ip address of the sender is a part of this path, this informatin is useful to associate the correst host to your logs.

Ciao.

Giuseppe

Reply

splunklearner
Path Finder
‎11-08-2024 01:23 AM

Thanks for your answer..

Just my doubt...what is FQDN used for? In my env it is there. Where do we configure this in syslog server or UF or indexer? 

I believe add-on you mentioned is not using in our env as of now. Is it seriously recommended to use add-on?

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎11-08-2024 01:30 AM

Hi @splunklearner ,

if you don't use the add-on, you must manually parse the logs and it's a job that I'd avoid!

FQDN is an option in server.conf that uses the fqdn, instead of hostname defined in server.conf.

It isn't mandatory and I use it only in case of multi tenant environments.

for more infos see at https://docs.splunk.com/Documentation/Splunk/9.3.1/Admin/Serverconf

hostnameOption = [ fullyqualifiedname | clustername | shortname ]
* The type of information to use to determine how splunkd sets the 'host'
  value for a Windows
  Splunk platform instance when you specify an input stanza with
  'host = $decideOnStartup'.
* Applies only to Windows hosts, and only for input stanzas that use the
  "host = $decideOnStartup" setting and value.
* Valid values are "fullyqualifiedname", "clustername", and "shortname".
* The value returned for the 'host' field depends on Windows DNS, NETBIOS,
  and what the name of the host is.
  * 'fullyqualifiedname' uses Windows DNS to return the fully qualified
    host name as the value.
  * 'clustername' also uses Windows DNS, but sets the value to the domain
    and machine name.
  * 'shortname' returns the NETBIOS name of the machine.
* Cannot be an empty string.
* Default: shortname

Ciao.

Giuseppe

0 Karma
Reply

splunklearner
Path Finder
‎11-08-2024 02:22 AM

And more quick question, how can we verify whether logs are coming to our syslog server from network devices? If not, how we can troubleshoot and check whether our syslog server is connected to their network device and it's issue from their end? 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎11-08-2024 03:09 AM

Hi @splunklearner ,

having the logs in Splunk you can check if the hosts are sending logs using a simple search:

having a lookup (called e.g. perimeter.csv with at least one column called host) with all the hosts that must send logs, you could run something like this:

| tstats count WHERE index=* BY host
| append [ | inputlookup perimeter.csv | eval count=0 | fields host count ]
| stats sum(count) AS total BY host
| where total=0

Ciao.

Giuseppe

0 Karma
Reply

splunklearner
Path Finder
‎11-08-2024 03:25 AM

Already I have given SPL command. No data is coming. Now how to troubleshoot this issue? How to check connectivity? Sorry if I am asking more...thanks for your help

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎11-08-2024 04:12 AM

Hi @splunklearner ,

did you enabled receiving on the Indexer [Settings > Forwardring and Receiving > Receiving]?

check the connectiviti, using telnet from the UF:

telnet ip_indexer 9997

Ciao.

Giuseppe

0 Karma
Reply

splunklearner
Path Finder
‎11-08-2024 05:30 AM

Yes done....want to check from syslog to UF connection... Please help me in this case?

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎11-08-2024 10:56 PM

Hi @splunklearner ,

apply the checks that @dural_yyz hinted.

In few words, check less the UF configuration and more the syslog configuration.

Ciao.

Giuseppe

Reply

dural_yyz
Motivator
‎11-08-2024 06:15 AM

Check the folder on the syslog where you configured SYSLOG application to place them.  If the files are not there then there is no forwarding to Indexers.

1) Check for files present

2) Check SYSLOG config that receiving from WAF will write to proper file location

3) Check netstats or wire capture for incoming connections from WAF source

4) Check network communications path from WAF to SYSLOG

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎11-07-2024 11:59 PM

Hi @splunklearner ,

let me understand:

  • your F5 WAF is already sending its logs to your syslog server,
  • the syslog server writes these logs in a file  and in a foled,
  • I suppose that in thefolder path, there's the hostname or ip address of the sender.

i this case, you have to install your UF on the syslog server and then install on this UF the Fortinet Fortigate Add_On for Splunk.

In this add-on, you have to create a local folder and a nef conf file called inputs.conf.

If the path of the log files is /data/f5_waf/<ip_address>/<year>/<month>/<day>/ and the filename is waflogs_yyyymmdd.log, in this file you have to add the following stanza:

[monitor:///data/f5_waf/.../waflogs_*.log]
index = your_index
sourcetype = fgt_logs
host_segment = 3
disabled = 0

and then restart the UF.

For more infos see at https://docs.splunk.com/Documentation/SplunkCloud/9.2.2406/Data/Monitorfilesanddirectories

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Observability Release Update: AI Assistant, AppD + Observability Cloud Integrations & ...

This month’s releases across the Splunk Observability portfolio deliver earlier detection and faster ...

Stay Connected: Your Guide to February Tech Talks, Office Hours, and Webinars!

&#x1f48c;Keep the new year’s momentum going with our February lineup of Community Office Hours, Tech Talks, ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...