Splunk Enterprise

Having Syslog logs into SPLUNK

siemsplunk
Explorer

We are in the process of data onboarding.

We managed to deploy a distributed architecture in which we have 3 indexers, 3 search, mastercluster, deployer, deployment, and 2 intermediate forwarders.

On my syslog server, I receive logs from the firewall through syslog port 10514 and I managed to install a forwarder into my syslog server connected to my deployment server.  and on my forwarder configuration file, I connect to all 2 intermediate forwarders

Now help me to finish this task, how can I manage to see the firewall logs in my Splunk? What do you think I should edit into my syslog server? Please remember I don't write the syslog logs(firewall) into a file. Its onstream logs

My forwarder inputs.conf file|

[udp://514]
connection_host = ip
index = tcra_firewall_idx
sourcetype = tcra:syslog:log

0 Karma
1 Solution

Tom_Lundie
Contributor

Hi,

It sounds like you've made great progress, nice one.

There are multiple designs and opinions out there regarding getting syslog into Splunk. It's up to you to decide what's best.

To get you started there are tools such as Splunk Connect For Syslog which provides an "all in one" feel, you can also use a syslog service such as rsyslog or syslog-ng to listen for your logs and cache them to disk and then forward them via a monitor stanza in inputs.conf.

However, if you want Splunk to listen directly, here is an example inputs.conf that you can tweak for your deployment:

 

[udp://10514]
disabled = false
connection_host = ip
sourcetype = <<firewall_product>>
index = main

 

For sourcetype, look on Splunkbase for your firewall vendor to check if there is an appropriate TA that you can use for field extractions. For example palo-alto firewall would be pan_log

For index, pick an appropriate index to suit your needs.

Finally, inputs.conf can either be deployed within an app (recommended) or directly under /opt/splunk/etc/system/local/

Also, make sure that 10514 is permitted on the local firewall.

View solution in original post

0 Karma

siemsplunk
Explorer

Thanks for the help

I see the logs now,

I tried to use a different port to take the logs from syslog conf file.

source s_network {
udp(port(10514));
};

destination d_splunk {
udp("localhost" port(11514));
};

log {
source(s_network);
destination(d_splunk);
};


For this now I see the logs...


0 Karma

siemsplunk
Explorer

@Tom_Lundie what about the syslog configuration? what should I do with it?

0 Karma

Tom_Lundie
Contributor

I'm not sure what you're stuck with.

Ideally, would need to see your current configurations and error messages to support.

What configuration file(s) are you stuck with?
Are your _internal logs reaching the Indexers?
Are you getting any errors?

0 Karma

siemsplunk
Explorer

Thank you so much for your help.

Am new to Splunk and I want really bad to master it. I will go and check the config as you said and I will let you know. 

0 Karma

Tom_Lundie
Contributor

Hi,

It sounds like you've made great progress, nice one.

There are multiple designs and opinions out there regarding getting syslog into Splunk. It's up to you to decide what's best.

To get you started there are tools such as Splunk Connect For Syslog which provides an "all in one" feel, you can also use a syslog service such as rsyslog or syslog-ng to listen for your logs and cache them to disk and then forward them via a monitor stanza in inputs.conf.

However, if you want Splunk to listen directly, here is an example inputs.conf that you can tweak for your deployment:

 

[udp://10514]
disabled = false
connection_host = ip
sourcetype = <<firewall_product>>
index = main

 

For sourcetype, look on Splunkbase for your firewall vendor to check if there is an appropriate TA that you can use for field extractions. For example palo-alto firewall would be pan_log

For index, pick an appropriate index to suit your needs.

Finally, inputs.conf can either be deployed within an app (recommended) or directly under /opt/splunk/etc/system/local/

Also, make sure that 10514 is permitted on the local firewall.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...