KB N°2809: Send browsing logs to Splunk Enterprise SIEM
Published November 24, 2023
This article is a step-by-step guide to connecting your Olfeo OP to your Splunk Enterprise 9.1.1 SIEM in order to send your browsing logs.
Prerequisites
Outgoing port 514 must be open for the Olfeo to the Splunk Enterprise server, which must accept requests on port 514.
To accept requests on port 514 on a Splunk Enterprise server running CentOS, you can use the following command:
sudo firewall-cmd --add-port=514/tcp --zone=public --permanent && sudo firewall --reload
Steps
- To redirect logs to a file dedicated to Olfeo, open your rsyslog configuration file /etc/rsyslog.conf and add the following line in the #### RULES section #### (you can modify the file to which it should send logs):
if $programname == 'olfeo' then /var/log/olfeo.log
- Restart the Rsyslog daemon with the following command:
systemctl restart rsyslog
- Then assign ownership of the /var/log/olfeo.log file to the splunk user and splunk group:
chown splunk:splunk /var/log/olfeo.log
- In the administration interface of your Olfeo master, go to Settings > Supervision > Syslog then Add a syslog server. You can then fill in the fields Label, Server (IPv4 or FQDN) and check the box Send traffic logs.
- Go to your Splunk Enterprise administration interface in Settings > Data entries > Files & directories then New file/directory
- Select the file /var/log/olfeo.log and leave Monitoring continu selected.
- In the next step, choose syslog as sourcetype
- On the next page, you can customize the context in which the logs will be displayed, as well as the host name and index. These values do not affect the sending of logs from Olfeo.
- You can then submit the creation of this monitoring
- By clicking on Start search you will find the browsing logs of your Olfeo