Well now that we have Splunk up and running, it is time to start making some use of it. In this post, we’ll configure Splunk to accept syslog feeds from network devices. Syslog (RFC 3164) is an industry standard protocol for ‘the transmission of event notification messages across networks.’ Basically, it is a real-time feed of what is happening on a system…sounds like just the ticket for Splunk. There are a few reasons we really like syslog and want to be able to make use of it with Splunk. The main one is that Splunk itself understands syslog, and can do a fair amount of data analysis given syslog feeds. If that is not enough to convince you, consider…
- Practically all networking devices, from routers and switches to firewalls and VPN concentrators ‘speak’ syslog.
- Unix and Linux (and all other ix-ishes) ‘speak’ it too.
- As a result most network and security engineers and sysadmins are already familiar with it, and most of our network infrastructure can use it.
- The excellent open-source Snare agent can be installed on Windows to export event logs as a syslog feed, sharing the love with Windows admins.
If you read my earlier post on installing Splunk then you may remember that I suggested you open UDP port 514 on the Windows firewall of your Splunk host. If not, go back and read that, make sure the port will not be blocked, and then come back. It’s okay, we’ll wait.
Ready? Great, let’s go. Once you log on to your Splunk instance, and access the Manager console, there are four simple steps to accepting syslog feeds.
- Click on Data inputs.
- At the far right of the UDP row, click “Add new.”
- Enter 514 for the UP port, set sourcetype From list, and from the dropdown box, select syslog.
- Click Save, and your done.
Now all you have to do is configure your various hosts to export syslog feeds to your Splunk server. In our next Splunk post, due soon, we’ll go over the install and config of Snare on a Windows host.
There are some arguments for using TCP instead of UDP for syslog, as well as for using a different syslog daemon to receive feeds, and letting Splunk monitor the file written by that daemon. Consider this best practices document and then make your own decisions. Personally, I don’t care to use syslog for anything requires a forensics quality data capture…there is no encryption, no authentication, no checksumming, and of course UDP is best effort. I do like syslog for it’s simplicity and as a source of information for what is happening, and what bears further review, so that’s what this post is about. That’s how I roll.
What about you? What do you think about syslog? Best effort, bullet-proof, or somewhere in between? Sound off in the comments and let us know your thoughts!
You might also enjoy:
