Skip to main content
Versa Networks

Integrate Splunk with Versa Analytics

  1. Last updated
  2. Save as PDF

Versa-logo-release-icon.pngFor supported software information, click here.

If you are using Splunk software for security information and event management (SIEM) and analysis of machine-generated data, you can send logs generated by Versa Analytics nodes, such as alarm logs, event logs, and threat logs, to the Splunk software so that you have a single monitoring system across all your network products.

The Analytics log collector receives logs from branches, hubs, and Controller nodes in IPFIX format. You can configure the Analytics node to send the logs to Splunk in the syslog key-value pair format . You can configure Splunk to receive the logs and to display them using its web interface.

This article describes how to configure Analytics nodes and the Splunk software to work together.

Configure the Analytics Node To Stream Logs to Splunk

You configure the Analytics log collector to send logs to the IP address and port in the Splunk software that is configured to receive logs.

For demonstration purposes, you can configure the Splunk software on the same node as the Analytics log collector. However, in a production setup, it is recommended that you do not run the Splunk software directly on the Analytics node.

To configure the Analytics node to stream logs to the Splunk software:

  1. Configure a local collector on the Analytics log collector node:
admin@Analytics$ cli
admin@Analytics> configure
admin@Analytics% set log-collector-exporter local collectors col address 192.168.77.4
admin@Analytics% set log-collector-exporter local collectors col port 1234
admin@Analytics% set log-collector-exporter local collectors col transport tcp
admin@Analytics% set log-collector-exporter local collectors col storage directory /var/tmp/log/
admin@Analytics% set log-collector-exporter local collectors col storage format syslog
admin@Analytics% set log-collector-exporter remote templates syslog-template type syslog
  1. Configure a remote collector, which is the Splunk system.
admin@Analytics% set log-collector-exporter remote collectors splunk destination-address 192.168.77.4
admin@Analytics% set log-collector-exporter remote collectors splunk destination-port 514
admin@Analytics% set log-collector-exporter remote collectors splunk source-address 192.168.77.4 
admin@Analytics% set log-collector-exporter remote collectors splunk transport udp 
admin@Analytics% set log-collector-exporter remote collectors splunk template syslog-template 
admin@Analytics% set log-collector-exporter remote collector-groups splunk-cg collectors [ splunk ] 
admin@Analytics% set log-collector-exporter remote profiles splunk-profile collector-group splunk-cg 
admin@Analytics% set log-collector-exporter exporter rules rule1 match local-collector col 
admin@Analytics% set log-collector-exporter exporter rules rule1 match log-types [ alarm-log flow-log firewall-log threat-log ] 
admin@Analytics% set log-collector-exporter exporter rules rule1 set remote-collector-profile splunk-profile

 

Install the Splunk Software

If the Splunk software is not installed on your network, install it. To install a free trial version:

  1. Download free trial version of the enterprise software from https://www.splunk.com/en_us/download/splunk-enterprise.html.
  2. Install the software either on an existing virtual machine (VM) node or on a separate VM or on an existing VM node. It is recommended that in a production setup, you not run the software on the Analytics node.
  3. Start Splunk.
$ dpkg -i software-version.deb
$ sudo /opt/splunk/bin/splunk start

For example:

$ dpkg -i splunk-6.6.1-aeae3fe0c5af-linux-2.6-amd64.deb
$ sudo /opt/splunk/bin/splunk start

Set Up the Splunk Software

To integrate the Splunk software with Versa Analytics, you install the Splunk application for Versa Networks. This application is a reporting and analysis tool for Versa services that automatically processes Versa logs and provides a web interface for displaying information about Versa services. You can install the Splunk application for Versa Networks for Splunk Releases 6.1 and later.

To install the Splunk application for Versa Networks:

  1. Download the splunk_versa.tar file from https://versanetworks.box.com/s/5uiskasok7pfuxzv4t9frpizrv3fgbwf.
  2. In the Splunk window, select Apps > Manage Apps tab.

    splunk-versa-analytics1.png
  3. In the File field, select the file path to the Versa application.
  4. Click Upgrade App to upgrade the Versa Networks application, if necessary.
  5. Click Upload.
  6. Restart Splunk.
  7. In the Splunk software, select the Settings > Data Inputs tab, and then enter information for the following fields.

    splunk-versa-analytics2.png
    1. In the Data Input field, select the protocol to use, either UDP or TCP.
    2. In the Port field, enter the number of the port on which to send the logs.
    3. In the Source field, select versa_log.
    4. In the Index field, select versa_logs.
  8. Click Save.

In the Splunk Apps tab, select the Splunk for Versa Networks tab to view the web screens that display information about Versa services.

Supported Software Information

Releases 20.2 and later support all content described in this article.

  1. Back to top
  • Was this article helpful?

Recommended articles

  1. Page type
    Topic
  2. Tags
    This page has no tags.