@avvio (welcome back 🙂 ),

Do you mean to see the raw data (i.e. the data from syslog)? - If so, then when you log in to Splunk you should by default land on "Home" screen (next to the Splunk logo (top-left) it should say home)... from here if you navigate to the "Search" App (under "Your Apps" on this screen). You will be taken to a summary page showing details about your Indexed Data. You will probably see a "Source" on this page relating to UDP/514 (can't remember the exact name). If you click this source you will see your events. Likewise, from the summary page you can type in the "Search Bar" something like...

*

Yes, literally that... this will show all data for the selected time period.

In answer to your question, you just use the Manager to set up Splunk, you use your Apps to view the data and play with it! You can also just jump to the "FlashTimeLine" view which would be something like..

http://<YourSplunkServer>:8000/app/search/flashtimeline (this is basically your searching view)

In answer to your other question (re: Where is the capture log...), Splunk stores it's data in "Indexes" (not a database). By default, data will always go to the "Main" index (or default index), unless you have specified otherwise. When searching (unless you choose an index), Splunk will default to searching in the Main index.

Hope this answer's your question and hasn't confused you :).

If you have any small-ish queries, you can also try the #splunk IRC channel, as there are some very (nice) helpful folk there.

Regards,

MHibbin

Hi, I am back again.

I have now installed Splunk, added a UDP port 514 network input (by following "Get data from TCP and UDP ports"). Direct the syslog from our Firewall to the 'Splunk server'. Set the machine to boot-start (see above post from MHibbin - thanks it works!). All seems fine and straight forward.

Now this is where I get stuck. Where is the captured log on the Splunk server because I did not have to specify where it should go? And how do I look at this log? On the Web interface, I think I need to go to Manager >> Data inputs but I don't know what else to do here. Please can someone point me in the right direction (it's installed on a 10.6 Server)?

Thanks.

Been away for a few days but now back. Thanks mloven and MHibbin for the replies. Will have a go now and hope it will be easy to set up.

avvio,

To enable Splunk to run from boot.. Once you have installed Splunk, you will need to start the Splunk services and then you may need to use the "$SPLUNK_HOME/bin/splunk enable boot-start" command. I'm not sure of the defaults on Mac... I know that Windows runs Splunk as a service from boot by default, but I have had to use the previous command when running on my Linux machines (which I would imagine to be same for Mac, as they are similar).

As mloven states Splunk will conitinue to receive syslog as long as the environment remains stable (i.e. network connectivity, the machine running Splunk, and Splunk itself). The main issue (and this shouldn't put you off, it's just something to bare in mind) is that syslog using UDP is not stable, as you may be aware. Due to the nature of UDP being a best-effort protocol (sending packets regardless of the connection/network conditions), if there is some downtime on network or the Splunk installation, you may lose some data.

Depending on the criticallity of the firewall you are collecting from, you be interested in the following article.. http://wiki.splunk.com/Community:Best_Practice_For_Configuring_Syslog_Input. To summarise this article, it mentions setting up either another installation of Splunk as a Heavy Forwarder or a syslog server (possibly the better solution). This will mean that if Splunk does go down for some reason, another installation continues to collect the data (it justs adds a bit of resillency to your setup).

Hope this helps

avvio,

I only have experience with the Linux install of splunk, so I may not get this totally right, but I think I can answer your question regardless.

Once Splunk is installed, is running, and is set to run on startup, then splunk will continue to receive syslogs as long as the firewall is sending them. No user needs to be logged in for the syslogs to be received. You'd only need to log in if you want to look at those logs.

The docs here show installation instructions for MacOS.

HTH

Hi, me again.

I still haven't installed Splunk yet until I have read everything up about it first.

I have read quite a lot of pages on the Splunk website, especially the "Use Splunk Web" section, the "Install on Mac", and the "Get Data from TCP and UDP" pages and understood what needs to be done before and after installation. However, I cannot find any information if Splunk runs in the background like a service, or do I have to login to the user that Splunk is setup under? I.e. will Splunk continue to receive log from the firewall if the computer is restarted and left in the login screen?

Thanks.

avvio,

As you said, you set the firewall to point its syslogs to the splunk ip address. In addition, on the Splunk server, you have to add your data input. Look at the docs here: http://docs.splunk.com/Documentation/Splunk/4.3/Data/Configureyourinputs

Specifically you want to pay attention to the "Use Splunk Web" section.

HTH