Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to Onboard a device in Splunk?

debjit_k
Path Finder
‎08-21-2023 07:44 PM

Hi All, 

 

I wanted to onboard new device in Spunk which is sangfor firewall my question is how can I onboard it so that it also became a CIM compliant

 

My basic understand is 

 

Team will configure syslog to sent logs to our syslog 

From syslog -> UF -> IDX -> SH 

 

I believe in idx I need to define the input.conf file for new FW now my question is does sangfor has any add-on (like paloalto which curve the data itself in proper name tag everything) if it has Can anyone please help me with the link and where I need to install this addon in search head or idx or UF to make my data CIM compliant.

 

Thanks

Tags (2)
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎08-21-2023 11:48 PM

Hi @debjit_k,

the sangfor firewall hasn't an Add-On on Splunkbase, so you need to create a CIM 4.X compliant new one.

There are two different approaches to Add-Ons:

  • create different add-ons for the roles: one for the input and one for parsing,
  • use the same Add-On for all roles,

I usually prefer the second one.

In the Add-On you have to put:

  • the inputs.conf file to ingest the files that, I suppose, you receive using an rsyslog or syslog-ng server,
  • the props.conf file to contain all the parsing options (props.conf, transforms.conf)
  • all the CIM compliance transformations (eventtypes.conf, tags.conf, props.conf, transofrma.conf and eventually lookups.

To create a CIM 4.x compliant Add-On you can use the Add-On Builder App (https://splunkbase.splunk.com/app/2962) or using an App like SA-cim_vladiator (https://splunkbase.splunk.com/app/2968) to identify the transformation requested.

You could use the second one for Add-On definitions and the first one for CIM 4.x compliance checks.

In few words you have:

  • to extract all the fields required (here you can find the required and the optional fields for each DataModel https://docs.splunk.com/Documentation/CIM/5.1.1/User/Howtousethesereferencetables ),
  • to normalize field names creating aliases for your field names,
  • to normalize some field values (e.g. for the action field you must use the following values: success, failure, pending, error,
  • eventually add lookups.

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Your Guide to SPL2 at .conf24!

So, you’re headed to .conf24? You’re in for a good time. Las Vegas weather is just *chef’s kiss* beautiful in ...

Get ready to show some Splunk Certification swagger at .conf24!

Dive into the deep end of data by earning a Splunk Certification at .conf24. We're enticing you again this ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Now On-Demand Join us to learn more about how you can leverage Service Level Objectives (SLOs) and the new ...