hello ,
how i can add this app to splunk , when i add to splunk and copy extract file" Juniper SSG Firewall Log Analysis" to $splunk/etc/app , dont show to me any things in dashboard,
please help me
As jkat54 mentioned, the Splunk Add-on for Juniper is required in order to create the Splunk parsers for Juniper logs. In addition to that, make sure that you run the setup for the Firegen for Juniper app (it should launch automatically when you use it first time). During the setup you have to specify or confirm the index used to collect the Juniper logs. For example, if you collect your logs through an index called "ssg", the setup page should look like this:
This setting configures the ssg_index
macro used by the analyzer app. If the app still doesn't show any stats after you configure the index, make sure that indeed you do have log entries for the time interval that you are trying to analyze. Open a regular search box and just enter the index and the time interval. The search should return the Juniper entries. Confirm that the entries contain fields such as src, dst, action, service, dst_port, sent and rcvd:
If the fields are not present then it's possible that the Splunk Add-on for Juniper is not installed properly or the log entries are not in the format expected by the add-on. Post a screenshot with the extracted fields if that's the case so we can take a look.
The app requires the Splunk Add-On for Juniper (https://splunkbase.splunk.com/app/2847) in order to create the required sourcetypes.
Do you have the add on installed too?