Splunk is a Security Information and Event Management (SIEM) tool. It is a big software with several functionalities. One of its functionalities is to act as a syslog server. Syslog is a protocol that helps us with transferring system logs from a device to a logging server where we can analyze these logs. Keeping track of system logs can be quite useful to keep your network in good health. If you proactively look at device logs, they will alert you of potential problems that can lead to outages.
On a Cisco device, you need to configure logging so that the device sends logs to a syslog server. Below video will show the IOS configuration on a Cisco ASA firewall.
IOS configuration
https://www.youtube.com/watch?v=6WpNMBLx2cc
You can specify a custom port rather than the normal UDP port for syslog which is 514. On the Cisco device, the traffic will originate from port 514. UDP has low overhead compared to TCP so best to use UDP as the protocol type. In this scenario, the logging host machine specified is a VMware host machine to which the logs are initially forwarded.
Make sure you set the clock in the network device so that the date and time are correct so that you can make the most out of the logs. You can use an appropriate NTP server to synchronize the time on the device. It is recommended that you use NTP rather than SNTP which may be used for simple applications. Giving a meaningful name for the Cisco device is also helpful in correlating the logs to the network device.
You need to allow syslog ports in Windows for the traffic to come to the syslog server. For this,
Open Windows Defender Firewall
Advanced settings>Inbound Rules>New Rules
Select Port then click Next. Select UDP, select Specific local ports and enter the port that you specified in the ASA config. Click Next. Select Allow the connection. Click Next and tick the appropriate type of network that the rule is applied to. Click on Next Enter a name for the firewall rule and click on Finish.
You need to enter a similar firewall rule in the VMware guest machine you install Splunk. The port that you specify here should be the same port that you use for syslog in Splunk.
I used a VMware Windows 11 virtual machine to install Splunk. It was also necessary to port forward in VMware for my settings to work. For my VMware settings for the Network Adapter. I used custom: specific virtual network and selected the virtual network adapter with NAT since my Windows 11 machine is on a subnet.
To specify port forward in VMware.
Go to Edit then open up the Virtual Network Editor
Click on change settings. Select the VMware network adapter with NAT configured. Click on Nat Settings then click on the Add button. Specify the host port, which is the port on the host machine where the syslog traffic initially enters. Select UDP as the type. Then specify the Virtual machine IP address and Virtual machine port which is the ip and port of the machine where Splunk is installed. Put a description. Click on OK, OK again and OK again to save the Virtual Network Editor settings. Make sure to use a port that is currently not being used in the host machine when port forwarding in VMware, otherwise VMware NAT will stop working.
It's also possible to use port forward in Windows using the below commands.
netsh interface portproxy add v4tov4 listenport=4422 listenaddress=192.168.1.111 connectport=80 connectaddress=192.168.0.33 protocol=tcp
This is port forward in ipv4. The only protocol option here is TCP.
Instead of Splunk you can also use software such as PRTG or Kiwi as the syslog server. Tftpd64 is also a simple program that you can use as a syslog server. However, there is no option in this software for you to configure a custom port for syslog traffic.
To configure Splunk.
Add the Cisco addon for Splunk.
Go to Apps> Find More Apps >
type cisco in search then install the Cisco Networks Add-on for Splunk Enterprise
Then go to Settings > (Add Data) Data inputs > UDP > New Local UDP >
Select the UDP option. For the port specify the UDP port that we use on our VMware guest machine. Also, this is the port that we used when we did port forward in VMware. This is not the port that we specified in the ASA.
This is how the traffic flows in our scenario.
Network Device,ip, port>host PC, port>guest PC,port
Back in our Splunk config,
You can specify the other options on this page if needed. But default will work. Click on Next,
For the source type go to uncategorized then select cisco_syslog
for App Context select Cisco Networks Add-on
You can leave other options as they are.
Click on Review then Submit.
You should be able to search for the Cisco logs by specifying the source and sourcetype in the search
Ex: source=”udp=2934” sourcetype”cisco_syslog”
If you don’t see any syslog traffic displayed make sure that no other programs are interfering with Splunk. You cannot use the same syslog port on different syslog servers on the same machine and have them both running at the same time. If you don’t see any traffic and also don’t see any errors in Splunk you probably made an incorrect configuration somewhere. For instance, specifying a wrong port or specifying an incorrect ip. You can use Wireshark to look into the traffic and see if there is any traffic coming to the Windows machine. Also, you can enable the logging option in Windows firewall and see if it is dropping or allowing syslog traffic.
