- Clavister cOS Core 11.x
- Splunk Enterprise 6.5.1
- Clavister app for Splunk
- Adding the Clavister app to Splunk
Setting up Splunk
Setting up a Syslog Receiver
Windows Firewall Settings
The first thing we need to do is download both the Splunk software and the Clavister app for Splunk.
We can find the Splunk here: https://www.splunk.com/
And the Clavister app here: After installing Splunk to the chosen path, in this case we used the default path, we need to extract the Clavister app to the path:
(in our case this is the path: C:\Program Files\Splunk\etc\apps)
Code: Select all
After the previous step is complete we need to restart the Splunk service, we can to this via the WebUI of Splunk or the built in Services tool in Windows.
In Splunk, go to Settings -> Server Controls -> Restart Splunk
In Windows, go to Services, find the "Splunkd" service, right click and press the Restart service option.
To Log onto the Splunk Server, use the Splunk program or go to localhost:8000 in your Web Browser.
The Default Password is changeme and the default Username is admin, the username and password can be changed under the Administrator tab of Splunk.
Setting Up Splunk
The only thing that needs to be configured in Splunk is the port it will be listening for incoming syslogs on.
This is done by first going to Settings -> Data Inputs -> UDP -> New UDP Port
Then entering the following information:
- Port: We decided to use the port 514 (the default port for syslog)
Only accept connections from: Since we have Splunk on our internal network we'll be using the GW IP of our internal interface 192.168.30.10
Source Type: Here we can select either Clavister or Syslog. Both options will yield the same results log wise.
Host:This decides how the host name/source of the logs will be displayed. We will use “IP”
Index: We select the default setting which is Default
Under System -> Device -> Log and Event Receivers -> Add Syslog Receiver
- Name: In this example we use the name Splunk
Routing Table: Since our local routes are located at the <main> routing table we select <main>
IP Address: 192.168.30.227 (this is the IP of the Windows machine that we are hosting Splunk on)
Facility: We leave this setting to its default, Local0
Port: 514 (this is the default setting of the Syslog Receiver, the port entered here must match the port we specified in the Splunk settings earlier)
The Windows Firewall likes to block the incoming logs so if logs are not working by now you’ll have to allow the port we use for syslog manually.
First navigate to the advanced settings of the Windows Firewall, once there we need to allow port 514 as an inbound rule.
1. Select Port as Rule Type. 2. Make sure u select UDP and the port that we choose earlier, in this case it's 514 3.Select Allow the Connection. 4. Here we choose what type of profile this inbound rule will trigger on. 5. Name it. We named it Splunk 6. It should look something like this when we're done.
Splunk should now be able to receive logs from the Clavister Security Gateway
After you've performed a search for logs, click the download button underneath the search bar. It's highlighted with red in the screenshot below. Select a name and which format the file will use. Additional notes:
- You must modify the network, ports and IP addresses to match your own network, all the settings in this how-to are examples
- Splunk for Clavister does not work with Splunk Light