This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Splunk, Sophos UTM9, parsing logs from UDP input

Hello all.

So, Sophos UTM9 don't have official addon for Splunk.

1) And I need to parsing logs via UDP input. How should I do it?

Or,

2) I will install one random addon from splunkbase (there are 3 non-official addons) but the problem is that the addons is intended to collect data from the file, and not from receiving at udp 514 port. How should I reconfigure conf files to make it work?

This thread was automatically locked due to age.

Parents

0 dirkkotte over 7 years ago

i send all my UMT9 data via syslog to splunk.

you have to create/activate the syslog listener at splunk before.

afterwards you can search for UTM data within splunk database.

mostly the add-ons are graphical tools to visualise the received data.

Dirk

Systema Gesellschaft für angewandte Datentechnik mbH // Sophos Platinum Partner
Sophos Solution Partner since 2003
If a post solves your question, click the 'Verify Answer' link at this post.
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 dirkkotte over 7 years ago

i send all my UMT9 data via syslog to splunk.

you have to create/activate the syslog listener at splunk before.

afterwards you can search for UTM data within splunk database.

mostly the add-ons are graphical tools to visualise the received data.

Dirk

Systema Gesellschaft für angewandte Datentechnik mbH // Sophos Platinum Partner
Sophos Solution Partner since 2003
If a post solves your question, click the 'Verify Answer' link at this post.
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 Ksenija Torben over 7 years ago in reply to dirkkotte

Thank you for answer!

But, can you tell me more in details all processes, perhaps with screenshots (where settings are needed, or configuration files), so I better understand. Because I'm a very green noob in the Splunk.

I supposedly understood what you said, but I do not know what to do :D
Cancel
Vote Up 0 Vote Down

Cancel
0 dirkkotte over 7 years ago in reply to Ksenija Torben

Hi,

i'll try to help you :-)

where is the problem?

- sending syslog from UTM

- receiving syslog with Splunk

- searching for data within splunk

Dirk

Systema Gesellschaft für angewandte Datentechnik mbH // Sophos Platinum Partner
Sophos Solution Partner since 2003
If a post solves your question, click the 'Verify Answer' link at this post.
Cancel
Vote Up 0 Vote Down

Cancel
0 Ksenija Torben over 7 years ago in reply to dirkkotte

The problem is that Sophos UTM9 sending logs to my Splunk Cloud, but not all logs parsing and not all fall into the Data Model in Splunk.
Cancel
Vote Up 0 Vote Down

Cancel
0 dirkkotte over 7 years ago in reply to Ksenija Torben

Sorry, i can't help configuring the internal parsing function inside Splunk.

Dirk

Systema Gesellschaft für angewandte Datentechnik mbH // Sophos Platinum Partner
Sophos Solution Partner since 2003
If a post solves your question, click the 'Verify Answer' link at this post.
Cancel
Vote Up 0 Vote Down

Cancel

Splunk, Sophos UTM9, parsing logs from UDP input

Submitted a Tech Support Case lately from the Support Portal?