Hi All,
I wanted to onboard new device in Spunk which is sangfor firewall my question is how can I onboard it so that it also became a CIM compliant
My basic understand is
Team will configure syslog to sent logs to our syslog
From syslog -> UF -> IDX -> SH
I believe in idx I need to define the input.conf file for new FW now my question is does sangfor has any add-on (like paloalto which curve the data itself in proper name tag everything) if it has Can anyone please help me with the link and where I need to install this addon in search head or idx or UF to make my data CIM compliant.
Thanks
Hi @debjit_k,
the sangfor firewall hasn't an Add-On on Splunkbase, so you need to create a CIM 4.X compliant new one.
There are two different approaches to Add-Ons:
I usually prefer the second one.
In the Add-On you have to put:
To create a CIM 4.x compliant Add-On you can use the Add-On Builder App (https://splunkbase.splunk.com/app/2962) or using an App like SA-cim_vladiator (https://splunkbase.splunk.com/app/2968) to identify the transformation requested.
You could use the second one for Add-On definitions and the first one for CIM 4.x compliance checks.
In few words you have:
Ciao.
Giuseppe