Skip to content

Splunk Connect for Syslog

Firewall

Splunk Connect for Syslog

Home
Architectural Considerations
Load Balancers
Getting Started
Getting Started
Configuration
Development
Destinations
Sources
Sources
- Read First
- Basic Onboarding
  Basic Onboarding
- Known Vendors
  Known Vendors
  - AVI
    AVI
    
    Common
  - Alcatel
    Alcatel
    
    Switch
  - Alsid
    Alsid
    
    Alsid
  - Arista
    Arista
    
    EOS
  - Aruba
    Aruba
    
    Access Points
    
    Clearpass
  - Avaya
    Avaya
    
    SIP Manager
  - BeyondTrust
    BeyondTrust
    
    Secure Remote Access (Bomgar)
  - Broadcom
    Broadcom
    
    Brightmail
    
    Symantec DLP
    
    Symantec Endpoint Protection (SEPM)
    
    ProxySG/ASG
    
    SSL Visibility Appliance
  - Brocade
    Brocade
    
    Switch
  - Buffalo
    Buffalo
    
    Terastation
  - Checkpoint
    Checkpoint
    
    Firewall OS
    
    Log Exporter (Syslog)
    
    Log Exporter (Splunk)
  - Cisco
    Cisco
    
    Application Control Engine (ACE)
    
    Cisco Access Control System (ACS)
    
    ASA/FTD (Firepower)
    
    Email Security Appliance (ESA)
    
    Cisco Integrated Management Controller (IMC)
    
    Cisco Networking (IOS and Compatible)
    
    Cisco ise
    
    Cisco meraki
    
    Meeting Management
    
    Meeting Server
    
    TelePresence Video Communication Server (TVCS)
    
    Unified Communications Manager (UCM)
    
    Unified Computing System (UCS)
    
    Viptela
    
    Web Security Appliance (WSA)
  - Citrix
    Citrix
    
    Netscaler ADC/SDX
  - Cohesity
    Cohesity
    
    Cluster
  - CyberArk
    CyberArk
    
    Vendor - CyberArk
    
    PTA
  - Cylance
    Cylance
    
    Protect
  - Dell
    Dell
    
    CMC (VRTX)
    
    EMC Powerswitch N Series
    
    iDrac
    
    RSA SecureID
    
    Sonicwall
  - F5
    F5
    
    BigIP
  - FireEye
    FireEye
    
    CMS
    
    eMPS
    
    etp
    
    hx
  - Forcepoint
    Forcepoint
    
    Email Security
    
    Webprotect (Websense)
  - Fortinet
    Fortinet
    
    FortiWMail
    
    Fortios
    
    FortiWeb
  - GitHub
    GitHub
    
    Enterprise Server
  - HAProxy
    HAProxy
    
    HAProxy
  - HPe
    HPe
    
    ILO (4+)
    
    Jedirect
    
    Procurve Switch
  - IBM
    IBM
    
    Data power
  - ISC
    ISC
    
    bind
    
    dhcpd
  - Imperva
    Imperva
    
    Incapsula
    
    On-Premises WAF (SecureSphere WAF)
  - InfoBlox
    InfoBlox
    
    NIOS
  - Juniper
    Juniper
    
    JunOS
    
    Netscreen
  - Kaspersky
    Kaspersky
    
    Enterprise Security RFC5424
    
    Enterprise Security CEF
    
    Enterprise Security Leef
  - McAfee
    McAfee
    
    EPO
    
    Network Security Platform
    
    Wg
  - Microfocus
    Microfocus
    
    Arcsight Internal Agent
    
    Arcsight Microsoft Windows (CEF)
  - Microsoft
    Microsoft
    
    Cloud App Security (MCAS)
  - Mikrotik
    Mikrotik
    
    RouterOS
  - NetApp
    NetApp
    
    OnTap
  - NetScout
    NetScout
    
    DatAdvantage
  - Netmotion
    Netmotion
    
    Mobility Server
    
    Reporting
  - Novell
    Novell
    
    NetIQ
  - Ossec
    Ossec
    
    Ossec
  - PaloaltoNetworks
    PaloaltoNetworks
    
    Cortext
    
    panos
    
    Traps
  - Pfsense
    Pfsense
    
    Firewall Firewall
    Table of contents
    
    Key facts
    
    Links
    
    Sourcetypes
    
    Sourcetype and Index Configuration
    
    Parser Configuration
  - Polycom
    Polycom
    
    RPRM
  - Proofpoint
    Proofpoint
    
    Proofpoint Protection Server
  - Pulse
    Pulse
    
    Pulse
  - PureStorage
    PureStorage
    
    Array
  - Qumulo
    Qumulo
    
    Storage
  - Radware
    Radware
    
    DefensePro
  - Raritan
    Raritan
    
    DSX
  - Ricoh
    Ricoh
    
    MFP
  - Schneider
    Schneider
    
    APC Power systems
  - Solace
    Solace
    
    EventBroker
  - Sophos
    Sophos
    
    Web Appliance
  - Spectracom
    Spectracom
    
    NTP Appliance
  - Splunk
    Splunk
    
    Splunk Connect for Syslog (SC4S)
  - StealthWatch
    StealthWatch
    
    Stealth Intercept
  - Tanium
    Tanium
    
    Platform
  - Tenable
    Tenable
    
    ad
    
    nnm
  - Thycotic
    Thycotic
    
    Secret Server
  - Tintri
    Tintri
    
    Syslog
  - Trend
    Trend
    
    Deep Security
  - Ubiquiti
    Ubiquiti
    
    Unifi
  - VMWare
    VMWare
    
    Carbon Black Protection
    
    Horizon View
    
    Index
    
    Vsphere
  - Varonis
    Varonis
    
    DatAdvantage
  - Vectra
    Vectra
    
    Cognito
  - Wallix
    Wallix
    
    Bastion
  - Zscaler
    Zscaler
    
    LSS
    
    NSS
  - syslog-ng
    syslog-ng
    
    loggen
Performance
Troubleshooting
Troubleshooting
- SC4S Startup and Validation
- SC4S Logging and Troubleshooting Resources
Experiments
Upgrading SC4S
SC4S FAQ

Firewall¶

Key facts¶

MSG Format based filter
Legacy BSD Format default port 514

Links¶

Ref	Link
Splunk Add-on	https://splunkbase.splunk.com/app/1527/
Product Manual	https://docs.netgate.com/pfsense/en/latest/monitoring/copying-logs-to-a-remote-host-with-syslog.html?highlight=syslog

Sourcetypes¶

sourcetype	notes
pfsense:filterlog	None
pfsense:*	All programs other than filterlog

Sourcetype and Index Configuration¶

key	sourcetype	index	notes
pfsense	pfsense	netops	none
pfsense_filterlog	pfsense:filterlog	netfw	none

Parser Configuration¶

#/opt/sc4s/local/config/app-parsers/app-vps-pfsense_firewall.conf
#File name provided is a suggestion it must be globally unique

application app-vps-test-pfsense_firewall[sc4s-vps] {
 filter { 
        "${HOST}" eq "pfsense_firewall"
    }; 
    parser { 
        p_set_netsource_fields(
            vendor('pfsense')
            product('firewall')
        ); 
    };   
};