Skip to content

Configure Splunk Input

Objective: Set the sourcetype to linux:iptables in the inputs.conf file on the forwarder.

Create a new index

Optional Step

If you do not wish to create a new index, skip to Splunk Universal Forwarder Configuration.

Splunk stores data in indexes. This add-on may be configured to send to a custom event index instead of the default index, main. For more information and steps to create a new index, see Splunk Docs: Create events indexes.

Purpose for Creating a new index

The out of the box Splunk configuration stores all data in the default index, main. It is encouraged to create a new index to ensure optimal performance, for setting retention policies, and for providing stricter access controls. For more information about how Splunk indexes work with add-ons, see Splunk Docs: Add-ons and indexes.

Splunk Universal Forwarder Configuration

Download the latest Splunk Universal Forwarder (UF) appropriate for your server.

Note

Unless utilizing a syslog server, this UF should be installed on the same server that you wish to collect linux firewall events from.

Install the UF according to Splunk Docs: Install the Universal Forwarder.

Once installed the configurations can be made. The following is a sample inputs.conf that can be pushed using a deployment server or configured on the UF itself.

inputs.conf
[monitor:///var/log/iptables.log]
disabled = 0
sourcetype = linux:iptables
# optionally specify an index, if configured.
index = osnixfw

The above assumes the iptable logs have been split into a separate file (see Prepare Logs for Splunk). If the iptable logs are mixed with other linux logs, then use the following sample configuration as a guide.

Mixed Logs

inputs.conf - for mixed logs
[monitor:///var/log/syslog]
disabled = 0
sourcetype = syslog
# optionally specify an index, if configured.
index = osnix

Then create a local directory within this app and add a props.conf to transform the sourcetype to the correct sourcetype.

local/props.conf - needed for mixed logs
[syslog]
TRANSFORMS-iptables_sourcetyper = iptables_sourcetyper

This will enable a prebuilt transforms to automatically sourcetype these logs.

Push the configuration to the forwarder, if using a deployment server, or restart the UF if configuring on the UF itself.

Verify

Verify the setup has completed successfully by navigating to Splunk web and running a search similar to the following:

index=<chosen index> sourcetype=linux:iptables

If you see data then you are all set! If you are not seeing your data, see Troubleshooting Monitoring Inputs.

Last update: January 23, 2023