当我将pfsense中的日志发送到splunk时,我遇到了问题。
目前的配置是:
Pfsense 192.168.1.128 Splunk 192.168.1.129
(2个不同的虚拟机)
因此,Pfsense的配置是将远程登录发送到端口514中spunk的IP。
在Splunk中,我添加了服务UDP 514:
Input Type
UDP Port
Port Number
514
Source name override
N/A
Restrict to Host
N/A
Source Type
syslog
App Context
search
Host
(IP address of the remote server)
Index
default
如果我在splunk中执行tcpdump:
tcpdump -anni ens33 host 192.168.1.128 and port 514
我可以从pfsense
看到syslog14:54:30.489541 IP 192.168.1.128.514 > 192.168.1.129.514: SYSLOG local5.info, length: 279
14:54:30.798702 IP 192.168.1.128.514 > 192.168.1.129.514: SYSLOG local5.info, length: 461
14:54:31.578176 IP 192.168.1.128.514 > 192.168.1.129.514: SYSLOG local5.info, length: 290
14:54:32.575437 IP 192.168.1.128.514 > 192.168.1.129.514: SYSLOG local5.info, length: 290
14:54:33.801049 IP 192.168.1.128.514 > 192.168.1.129.514: SYSLOG local5.info, length: 461
14:54:33.803128 IP 192.168.1.128.514 > 192.168.1.129.514: SYSLOG local5.info, length: 290
14:54:34.579268 IP 192.168.1.128.514 > 192.168.1.129.514: SYSLOG local5.info, length: 290
14:54:35.578575 IP 192.168.1.128.514 > 192.168.1.129.514: SYSLOG local5.info, length: 290
14:54:36.465434 IP 192.168.1.128.514 > 192.168.1.129.514: SYSLOG local5.info, length: 294
14:54:36.931271 IP 192.168.1.128.514 > 192.168.1.129.514: SYSLOG ntp.info, length: 69
14:54:36.931530 IP 192.168.1.128.514 > 192.168.1.129.514: SYSLOG ntp.info, length: 69
但如果我签入Screach并报告,我可以在数据摘要中看到任何信息。
你能否在这个方面给我一些启发
谢谢
答案 0 :(得分:0)
您正在搜索正确的索引吗?
如果你运行它,它会快速搜索元数据,看看它是否在Splunk中。根据需要调整时间范围
| metasearch index=*