Contents

Splunk Integration Guide

Integration Overview

This document describes the steps to integrate Splunk with your WatchGuard Firebox so that the Splunk administrator can view information from syslog messages sent from the Firebox.

Platform and Software

The hardware and software used to complete the steps outlined in this document include:

  • Firebox or WatchGuard XTM device installed with Fireware v12.2.1
  • Splunk Enterprise 7.1.3 installed on a Windows 10
  • WatchGuard Firebox Add-on for Splunk Version 1.0
  • WatchGuard Firebox App for Splunk Version 1.0

Configuration

To complete this integration, you must first deploy Splunk Enterprise software.

For information about how to set up Splunk, see the Splunk Installation Guide. This document describes the procedure to configure Splunk Enterprise to listen, receive, and index syslog data from the Firebox.

Set Up Your Firebox to Send Syslog Messages to Splunk

  1. Log in to the Fireware Web UI with an administrator account.
  2. Select System > Logging.
  3. Select the Syslog Server tab.

Screen shot of the configured Syslog Server settings on the Firebox

  1. Select the Send log messages to the syslog server at this IP address check box.
  2. In the IP Address text box, type the IP address of the server on which Splunk is installed. In this example, we use 10.0.1.86.
  3. In the Port text box, type 514.
  4. From the Log format drop-down list, select Syslog.
  5. To include the time stamp and serial number, select the The time stamp and The serial number of the device check boxes (optional).
  6. Click Save.

Set Up Splunk Enterprise

  1. Log in to Splunk Enterprise at http://localhost:8000/en-US/account/login. The first time you log in, use the default user name admin and the password you set during installation. You can then change the password and log in again with your new password.

Screen shot of Splunk Enterprise home page

  1. From the Splunk home page, select Add Data.

Screen shot of the Add Data page

  1. To get data from TCP and UDP ports, on the Add Data page, select Monitor.
  1. Select TCP/UDP.
  2. Select the UDP tab.
  3. Firebox syslog support is available only for UDP.

Screen shot of the Select Source step

  1. In the Port text box, type 514. This port must match the port configured on the Firebox for the syslog server.
  2. In the Only accept connection from text box, type the IP address of your Firebox. In our example, we type 10.0.1.40.
  3. Click Next.
  1. From the Select Source Type drop-down list, select Operating System > syslog.

Screen shot of the Input Settings

  1. To continue, click Review.

Screen shot of the Review step

  1. Click Submit.
    Splunk is now configured to receive syslog messages from the Firebox IP address you specified.

Screen shot of the success page

Install the WatchGuard Firebox Add-On For Splunk

  1. Download the WatchGuard Firebox Add-on from https://splunkbase.splunk.com/app/3978/.
  2. Log in to Splunk Enterprise.
  3. On the Apps menu, click Manage Apps.

Screen shot of the splunk>enterprise Apps > Manage Apps menu

  1. Locate the .tar.gz file you just downloaded, and then click Open.

Screenshot of the Upload app page

  1. Click Upload.
  2. Click Restart Now, and then confirm that you want to restart.

  1. On the Splunk Enterprise home page, click Choose a home dashboard.

Screen shot of the Choose a home dashboard option on the Splunk Enterprise home page

  1. Click dashboards listing page.

Screen shot of the Choose Default Dashboard dialog box

  1. Select WatchGuard Firebox Add-on for Splunk
  2. Click ....

Screen shot of the Set as Home Dashboard option

  1. Select Set as Home Dashboard.
    The WatchGuard Firebox Add-On for Splunk appears on the Splunk Enterprise Home Dashboard.

Install the WatchGuard Firebox App for Splunk

  1. Download the WatchGuard Firebox App from https://splunkbase.splunk.com/app/3979/
  2. Log in to Splunk Enterprise.
  3. From the Apps menu, select Manage Apps.
  4. Click Install app from file.
  5. In the Upload app window, click Choose File
  6. Screen shot of the Upload app page

  7. Locate the .tar.gz file you just downloaded, and then click Open.
  8. Click Upload.
    The WatchGuard Firebox App for Splunk appears in the Splunk Enterprise Apps list .

Screen shot of the WatchGuard Firebox App for Splunk app in the Apps list

Test the Integration

After the Firebox sends syslog entries to Splunk. you can see Firebox information in WatchGuard Firebox Add-On for Splunk or WatchGuard Firebox App for Splunk.

In the WatchGuard Firebox Add-On for Splunk, the Firebox data looks like this:

Screen shot of the Firebox List in the WatchGuard Firebox Add-On for Splunk

Screen shot of the Top 10 chart in the WatchGuard Firebox Add-On for Splunk

Screen shot of traffic statistics charts in the WatchGuard Firebox Add-On for Splunk

Screen shot of Denied and Allowed statistics in the WatchGuard Firebox Add-On for Splunk

In the WatchGuard Firebox App for Splunk, data from the Firebox looks like this:

Screen shot of Firebox Events & Traffic in the WatchGuard Firebox App for Splunk

Screen shot of Firebox Total, Denied, and Allowed traffic charts in the WatchGuard Firebox App for Splunk

 

Give Us Feedback  ●   Get Support  ●   All Product Documentation  ●   Technical Search