Views:
You can configure the Network Security service so that it sends the IPS events that it generates to a Splunk server. Before starting this procedure, ensure that you have the Splunk application for Network Security installed. Learn more.
Note
Note
Your Network Security virtual appliances must use version 2020.10.0 or later to use unencrypted TCP.

Procedure

  1. From the All Appliances page, select the appliance whose events you want Splunk to collect and analyze.
  2. On the appliance's properties page, select the Splunk tab.
  3. Click the Edit edit-icon=066da148-5993-43e0-9aca-af20b545e486.svg icon.
  4. In the Splunk Configuration dialog, configure the Syslog State to Enabled.
  5. In the Server field, specify an IP address or hostname for your Splunk server. For example, remoteSyslogHostname.
  6. In the Port field, specify a port between 1 and 65535. The default is 8516.
  7. If you want the server to use encryption, enable the Certificate option and specify a CA certificate.
    Note
    Note
    If you require CA certificate validation, add the CA certificate before you configure your Splunk server.

What to do next

The Splunk server will receive a notification for any filter set with +Notify actions. Manually created action sets that specify notifications to the “management console” will also be sent to the Splunk server.
The Network Security service sends data in Common Event Format (CEF) format. For example:
CEF:0|TippingPoint|vTPS Cloud|5.3.0.10200|164|ICMP: Echo Request (Ping)|1|dvchost=i-0a6821719d0f05bb1 dvc=192.0.2.2 cat=IpsBlock deviceFacility=IPS act=Block cs2=6b5f2632-12bd-11ea-bfc7-981b3f1b1c15 cs2Label=Policy UUID cs3=00000001-0001-0001-0001-000000000164 cs3Label=Signature UUID proto=ICMP src=10.100.3.94 dst=10.100.2.253 start=Nov 29 2019 16:25:33+0000 cnt=1 deviceInboundInterface=1B deviceOutboundInterface=1A cs1=l3 cs1Label=Virtual Segment cn2=0 cn2Label=SSL Flag c6a1=10.100.3.94 c6a1Label=Client IPv4 host = 10.100.1.102source = udp:8514sourcetype = syslog
When you click Save, the All Appliances page displays your appliance's Splunk status as Pending while the virtual appliance tries to establish a connection. Return to the Splunk Configuration dialog and click the Status Refresh button. When your virtual appliance has connected to Splunk successfully, the status changes to Connection Successful. If an error occurs that prevents the connection, the status changes to Connection Failed and an error message provides insight for the failure. Additionally, you can use the root command show log-file to view more information behind the failure in the system log.
Note
Note
A Connection Successful status means that a connection has been established to a syslog server. It does not necessarily mean that events are being logged. If your Splunk connection status shows frequent connection and disconnection events, make sure that the server's IP and port correspond to a supported syslog destination.
The Network Security appliance uses TCP and/or TCP input over SSL. Because the Network Security interface does not enable you to configure a TCP input over SSL, refer to your Splunk documentation for information on how to configure this. You can refer to the following topics to learn more about configuring SSL settings on Splunk:
To clear your Splunk configuration, click the Trash icon delete-icon=10336c8b-0762-4ea1-a9d0-ef4ec80cc546.svg. Your appliance's Splunk state changes to Disabled.

Connect to Splunk through an API Parent topic

Refer to the remote syslog APIs in the API Reference for information on connecting to an external Splunk server.
To verify your Splunk connection using an API, use the GET /api/appliances/{ID}/remotesyslogs/{remotesyslogID} call.