Jump to content


Photo

Using the barracuda NG app for Splunk

splunk ng firewall syslog

  • Please log in to reply
6 replies to this topic

#1 Jamie van der Pijll

Jamie van der Pijll
  • Members
  • 4 posts

Posted 29 March 2016 - 08:21 AM

Hi,

 

I have a question about the next-gen firewall f-series. I want to stream the syslog data from my NG to a splunk server i just set up. I use the newest splunk with the newest NG app. My data is coming in on port 5140 in splunk, i can read all the data coming in, but no hosts are showing up in the NG app within splunk.

 

Does someone have the same problem or a solution? Other ports are working aswell, just not in the NG app within splunk...



#2 Tobias Witek

Tobias Witek
  • Barracuda Team Members
  • 14 posts

Posted 29 March 2016 - 08:34 AM

Hello,

 

to help narrow down the problem, it would be great if you could answer the following questions:

 

* Which logs are you streaming from the NG?

* When you go to the Splunk App for the firewall, are there any error messages?

* Is some partial data being displayed, or is the dashboard completely empty?

 

 

 

 

Just in case: There are step-by-step instructions on how to set up Splunk integration on the firewall in the TechLibrary: https://techlib.barr...lunkIntegration

 

Best regards,

 

Tobias



#3 Jamie van der Pijll

Jamie van der Pijll
  • Members
  • 4 posts

Posted 29 March 2016 - 08:45 AM

Hi Tobias,

 

I followed the techlib article from beginning to end for this setup. The barracuda NG App is not displaying any form of errors, all the fields are empty. I cannot choose a host to display data from. The NG App installed the input for 5140/udp, so i send the data there from the NG Firewall itself. In the search app within Splunk, i can see all of the data coming in on that port, so the data is there. I installed the NG App by using Winscp and unzipping the tar provided from the splunk app database to the apps folder within splunk. The app itself is visible.

 

EDIT: I am logging the firewall activity. (firewall_audit_log, ALL)



#4 Tobias Witek

Tobias Witek
  • Barracuda Team Members
  • 14 posts

Posted 29 March 2016 - 08:55 AM

Hi Jamie,

 

hm, this is something I have only observed right after setting up the syslog stream. Sometimes, it takes a few minutes until the sources are visible. But once your stream runs longer than, say, 20 minutes, this should definitely not occur anymore.

 

May I ask you to contact our support regarding that issue? They can do a screen-sharing session with you and hopefully narrow down the issue quickly.

 

Thanks & sorry for not being able to help more,

 

Tobias



#5 Jamie van der Pijll

Jamie van der Pijll
  • Members
  • 4 posts

Posted 29 March 2016 - 09:37 AM

Hi Jamie,

 

hm, this is something I have only observed right after setting up the syslog stream. Sometimes, it takes a few minutes until the sources are visible. But once your stream runs longer than, say, 20 minutes, this should definitely not occur anymore.

 

May I ask you to contact our support regarding that issue? They can do a screen-sharing session with you and hopefully narrow down the issue quickly.

 

Thanks & sorry for not being able to help more,

 

Tobias

Hi Tobias,

 

One last question before i contact support, is it even supported to use the app within the latest splunk (6.3.3)?

 

EDIT: I do not get to choose from any hosts (top left corner) in all of the barracuda apps for splunk. Other apps work fine.



#6 Jamie van der Pijll

Jamie van der Pijll
  • Members
  • 4 posts

Posted 30 March 2016 - 02:10 AM

Ok,

 

The next day a host does show up to choose from (time setting maybe) But no results are shown sadly. Every position tells me that no results are found.



#7 Tobias Witek

Tobias Witek
  • Barracuda Team Members
  • 14 posts

Posted 30 March 2016 - 07:43 AM

Hello,

 

unfortunately, we don't support Splunk 6.3 right now, i.e. we cannot guarantee that the app works correctly with it.

 

Would it be possible for you to perform a test with Splunk 6.2 to see whether your data is displayed correctly there?

 

Thanks and sorry for the inconvenience!

 

Tobias