Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 5 replies
  • Subscribers 5 subscribers
  • Views 9818 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Splunk, Sophos UTM9, parsing logs from UDP input

Ksenija Torben

Hello all.

So, Sophos UTM9 don't have official addon for Splunk.

1) And I need to parsing logs via UDP input. How should I do it?

Or,

2) I will install one random addon from splunkbase (there are 3 non-official addons) but the problem is that the addons is intended to collect data from the file, and not from receiving at udp 514 port. How should I reconfigure conf files to make it work?



This thread was automatically locked due to age.
  • 0

    i send all my UMT9 data via syslog to splunk.

    you have to create/activate the syslog listener at splunk before.

    afterwards you can search for UTM data within splunk database.

    mostly the add-ons are graphical tools to visualise the received data.


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

  • 0 in reply to dirkkotte

    Thank you for answer!

    But, can you tell me more in details all processes, perhaps with screenshots (where settings are needed, or configuration files), so I better understand. Because I'm a very green noob in the Splunk.

    I supposedly understood what you said, but I do not know what to do :D

  • 0 in reply to Ksenija Torben

    Hi,

    i'll try to help you :-)

    where is the problem?

    - sending syslog from UTM

    - receiving syslog with Splunk

    - searching for data within splunk


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

  • 0 in reply to dirkkotte

    The problem is that Sophos UTM9 sending logs to my Splunk Cloud, but not all logs parsing and not all fall into the Data Model in Splunk.

  • 0 in reply to Ksenija Torben

    Sorry, i can't help configuring the internal parsing function inside Splunk.


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?