Configuring Splunk for SonicWall (Linux)
Description
Configuring Splunk for SonicWall (Linux)
Resolution
1) Setting up the server to receive syslogs
- Install rsyslogd using "yum install rsyslog"
- Edit file /etc/sysconfig/rsyslog and change the line SYSLOGD_OPTIONS="-m 0" to SYSLOGD_OPTIONS="-r -m 0" to accept syslogs from remote systems
- Stop syslog using "service syslog stop"
- Start rsyslogd using "service rsyslog start"
2) Configure the SonicWall to send syslog to this server.
- Login to the SonicWall management GUI.
- Navigate to Log > Syslog page.
- Click on the add button under Syslog Servers.
- Add the IP/Hostname of the syslog server and click OK
-kA1VN0000000DYU0A2-0EMVN00000EnqzG.png)
3) Install splunk on the server
- Download splunk install file ( wget -O splunk-5.0-140868.i386.rpm 'http://www.splunk.com/page/download_track?file=5.0/splunk/linux/splunk-5.0-140868.i386.rpm&ac=&wget=true&name=wget&typed=releases')
- Install the package using rpm -Uvh splunk-5.0-140868.i386.rpm
- Start the service using /opt/splunk/bin/splunk start
- Open a browser to http://:8000
- Login using admin & changeme
- Click on "Add Data" link on the webpage
-kA1VN0000000DYU0A2-0EMVN00000EnqzE.png)
- On the next page, Click on "From Files & Directories" under "Or choose a data source"
-kA1VN0000000DYU0A2-0EMVN00000EnqzI.png)
- On this page, check the skip preview and click on continue
-kA1VN0000000DYU0A2-0EMVN00000EnqzB.png)
- On the next page, enter the path to the data directory, which is the default directory rsyslog uses(/var/log) and click on save
-kA1VN0000000DYU0A2-0EMVN00000EnqzK.png)
- A success page comes up and gives you option to search your data now.
-kA1VN0000000DYU0A2-0EMVN00000Enqz5.png)
For information on creating reports etc., visit the Splunk documentation page : http://docs.splunk.com/Documentation/Splunk
Related Articles
not finding your answers?