Getting Data In

Splunk for Cisco Firewalls - Forwarder & Separate Index

gdavid
Path Finder

I'm trying to setup Splunk for Cisco Firewalls
I am trying to setup 2 things here:
1. the UDP Syslog input on my forwarder and not the splunk indexer where the app is installed.
2. separate out the indexes for certain high volume firewalls/devices.

i found this article [http://answers.splunk.com/answers/75939/split-syslog-udp514-from-multi-hosts-to-multi-indexes] on how to accomplish separating the index out. I already see tons of entries in the props.conf and transforms.conf and i don't want to break the app in the process.

i am also not sure how to setup this whole thing using a forwarder in between. I have experience setting up other apps, but they have portions that usually get deployed out to a forwarder.

thanks

Gd.

0 Karma

antlefebvre
Communicator

In index.conf on the universal forwarder machine create a different udp port for each firewall. Send to that port from the firewall that belongs to that index.

[udp://portfromfirewall]

connection_host = ip
index = index_you_want_to_send_to
sourcetype = your_Sourcetype

In your outputs.conf

[tcpout]

defaultGroup = default-autolb-group

[tcpout:default-autolb-group]
server = yoursplunkserver:9997

[tcpout-server://yoursplunkserver:9997]

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...