Send logs to a SIEM (Splunk)

Jayce

July 15, 2023 03:26

Hello, I’m new to Firewalla and I’ll like to send the logs to a SIEM such as Splunk. I’d appreciate any pointers; thanks.

Comments

13 comments

Stuart

July 15, 2023 11:28
If you have a Gold, you could install the Splunk UF on it and ingest from the various logfiles. Another option might be to install syslog-ng and send syslog, or maybe use an HTTP destination and send to HEC. You could probably use rsyslog for some of this too, but I don't have any experience with doing that.

I haven't dug into all the logfiles on a Firewalla to see if they're all handled by the local syslog or not. If some are not using that facility, then the UF would be useful to capture them.
0

Comment actions Permalink
Jayce

July 15, 2023 16:37
Thanks so much for the info Stuart. I’ve the Firewalla Gold.

Curious to see if anyone has done it.
0

Comment actions Permalink
Firewalla

July 15, 2023 16:55
the MSP should be able to help https://help.firewalla.com/hc/en-us/articles/5345330648083-MSP-API-Getting-Started-
0

Comment actions Permalink
Stuart

July 15, 2023 19:02

Edited
Ok, if you can pull what you need from their MSP API, you can probably setup something to pull that into Splunk. There's a REST API app, maybe from BaboonBones?

Yes, here it is: https://splunkbase.splunk.com/app/1546
0

Comment actions Permalink
Rusty Shackleford

July 23, 2023 01:41
Hey there!

I am doing this same thing :)

Working on a Graylog siem in my home lab.

Probably will have this solved within the next…2ish weeks when I can really put time to it.

There’s also an MSP ApI I guess mentioned here? But I’m not sure if there’s an api endpoint built out for network traffic logs all that’s listed is just events.
0

Comment actions Permalink
Rusty Shackleford

July 23, 2023 01:44
To build on this, I don’t think sys log would give you data you are after.

The api endpoint would give us a lot.

Network traffic logs tho still looking :)
0

Comment actions Permalink
Firewalla

July 23, 2023 02:00
Do you want to stream all the flow data or alarms? or both?
0

Comment actions Permalink
Jayce

July 24, 2023 02:45
Thank you all for the suggestions and pointers. I’m interested in both
0

Comment actions Permalink
Firewalla

July 24, 2023 03:14
You can find the API's here https://docs.firewalla.net

More information on the MSP https://firewalla.net

I'll see if I can get someone to build a full example of pulling flows
0

Comment actions Permalink
prabuaj

March 10, 2024 06:16
I am using the Firewalla Purple. I wanted send the logs to Splunk via file monitoring by installing the Splunk UF on the Firewall purple. I installed the UF on firewalla purple and done all the settings required for UF and Splunk to sent/receive the logs. All the time sending logs failed on Splunk side with error message saying destination route fail.I setup the rule on firewalla "Allow traffic from LAN 1 to Remote Port 9997" because Splunk receiving port 9997.

Also i noticed Splunk uf installation on firewalla under /opt/SplunkForwarder automatically gets deleted after uf installation.

Is anyone had similar issues or if any other method succeeded splunk integration with firewall purple on firewall please share the instructions. I am battling with this issue since last three weeks to four weeks.

Thank you

Jesu
0

Comment actions Permalink
Jayce

August 04, 2024 15:04
@Firewalla, following up on this comment:
You can find the API's here https://docs.firewalla.net

More information on the MSP https://firewalla.net

I'll see if I can get someone to build a full example of pulling flows
0

Comment actions Permalink
Jayce

August 04, 2024 15:05
Also, wondering if anyone has been able to figure this out
0

Comment actions Permalink
Firewalla

August 04, 2024 19:09
see this example, it will pull flows, https://github.com/firewalla/msp-api-examples/tree/main/flow-pagination
0

Comment actions Permalink

Please sign in to leave a comment.

Comments

Didn't find what you were looking for?