Setting up Splunk for Clavister (11.x)

Security Gateway Articles and How to's
Post Reply
mape
Posts: 41
Joined: 24 Oct 2016, 08:23

Setting up Splunk for Clavister (11.x)

Post by mape » 22 Dec 2016, 14:13

This How-to applies to:
  • Clavister cOS Core 11.x
  • Splunk Enterprise 6.5.1
  • Clavister app for Splunk
Topics covered in this how-to:
  • Adding the Clavister app to Splunk
    Setting up Splunk
    Setting up a Syslog Receiver
    Windows Firewall Settings
    Downloading Logs
Adding the Clavister app to Splunk
The first thing we need to do is download both the Splunk software and the Clavister app for Splunk.
We can find the Splunk here: https://www.splunk.com/
And the Clavister app here:
splunk-for-clavister-cos-core-1-0-0.tar.gz
(68.96 KiB) Downloaded 427 times
After installing Splunk to the chosen path, in this case we used the default path, we need to extract the Clavister app to the path:

Code: Select all

\Splunk\etc\apps
(in our case this is the path: C:\Program Files\Splunk\etc\apps)

After the previous step is complete we need to restart the Splunk service, we can to this via the WebUI of Splunk or the built in Services tool in Windows.
In Splunk, go to Settings -> Server Controls -> Restart Splunk
In Windows, go to Services, find the "Splunkd" service, right click and press the Restart service option.
To Log onto the Splunk Server, use the Splunk program or go to localhost:8000 in your Web Browser.
The Default Password is changeme and the default Username is admin, the username and password can be changed under the Administrator tab of Splunk.


Setting Up Splunk
The only thing that needs to be configured in Splunk is the port it will be listening for incoming syslogs on.
This is done by first going to Settings -> Data Inputs -> UDP -> New UDP Port
Then entering the following information:
  • Port: We decided to use the port 514 (the default port for syslog)
    Only accept connections from: Since we have Splunk on our internal network we'll be using the GW IP of our internal interface 192.168.30.10
    Source Type: Here we can select either Clavister or Syslog. Both options will yield the same results log wise.
    Host:This decides how the host name/source of the logs will be displayed. We will use “IP”
    Index: We select the default setting which is Default
Setting up a Syslog Receiver in the Clavister Gateway
Under System -> Device -> Log and Event Receivers -> Add Syslog Receiver
  • Name: In this example we use the name Splunk
    Routing Table: Since our local routes are located at the <main> routing table we select <main>
    IP Address: 192.168.30.227 (this is the IP of the Windows machine that we are hosting Splunk on)
    Facility: We leave this setting to its default, Local0
    Port: 514 (this is the default setting of the Syslog Receiver, the port entered here must match the port we specified in the Splunk settings earlier)
Splunk_Syslog_Settings.png
Splunk_Syslog_Settings.png (20.93 KiB) Viewed 1979 times
Windows Firewall Settings
The Windows Firewall likes to block the incoming logs so if logs are not working by now you’ll have to allow the port we use for syslog manually.
First navigate to the advanced settings of the Windows Firewall, once there we need to allow port 514 as an inbound rule.

1. Select Port as Rule Type.
Splunk Firewall Rule Type.png
Splunk Firewall Rule Type.png (20.67 KiB) Viewed 1971 times
2. Make sure u select UDP and the port that we choose earlier, in this case it's 514
Splunk Firewall Protocol and Ports.png
Splunk Firewall Protocol and Ports.png (18.46 KiB) Viewed 1971 times
3.Select Allow the Connection.
Splunk Firewall Allow Connections.png
Splunk Firewall Allow Connections.png (22.41 KiB) Viewed 1971 times
4. Here we choose what type of profile this inbound rule will trigger on.
Splunk Firewall Profile.png
Splunk Firewall Profile.png (18.4 KiB) Viewed 1971 times
5. Name it. We named it Splunk
Splunk Firewall Name.png
Splunk Firewall Name.png (12.88 KiB) Viewed 1971 times
6. It should look something like this when we're done.
Splunk Firewall Done.png
Splunk Firewall Done.png (108.26 KiB) Viewed 1979 times

Splunk should now be able to receive logs from the Clavister Security Gateway


Downloading Logs
After you've performed a search for logs, click the download button underneath the search bar. It's highlighted with red in the screenshot below.
Download Logs.png
Download Logs.png (32.01 KiB) Viewed 1979 times
Download Logs Settings.png
Download Logs Settings.png (15.07 KiB) Viewed 1979 times
Select a name and which format the file will use.
Download Logs Format.png
Download Logs Format.png (13.76 KiB) Viewed 1979 times
Additional notes:
  • You must modify the network, ports and IP addresses to match your own network, all the settings in this how-to are examples
  • Splunk for Clavister does not work with Splunk Light

Post Reply