This is a diagram that I have used to deploy this lab.
![](https://tungle.ca/wp-content/uploads/2022/04/image-408.png)
Log in to Splunk, and download Cisco Suite for Splunk, Fortigate, and Palo Alto app for Splunk.
![](https://tungle.ca/wp-content/uploads/2022/04/image-375-1024x412.png)
Click Install app from file.
![](https://tungle.ca/wp-content/uploads/2022/04/image-376-1024x294.png)
![](https://tungle.ca/wp-content/uploads/2022/04/image-377.png)
![](https://tungle.ca/wp-content/uploads/2022/04/image-378-1024x370.png)
![](https://tungle.ca/wp-content/uploads/2022/04/image-379-1024x404.png)
On Splunk.
+ Palo Alto
Go to Settings – Data inputs – New Local UDP.
Enter the port 5514 on the Port setting
![](https://tungle.ca/wp-content/uploads/2022/04/image-382-1024x457.png)
Source type: pan_log
App Control: Palo Alto Networks
Method: IP
Index: Default
![](https://tungle.ca/wp-content/uploads/2022/04/image-383-1024x675.png)
![](https://tungle.ca/wp-content/uploads/2022/04/image-384-1024x405.png)
On Palo Alto, configure to send logs to Splunk server with destination port is 5514.
![](https://tungle.ca/wp-content/uploads/2022/04/image-380-1024x644.png)
![](https://tungle.ca/wp-content/uploads/2022/04/image-381-1024x629.png)
Back to Splunk.
![](https://tungle.ca/wp-content/uploads/2022/04/image-385-1024x444.png)
Click Palo Alto App – Operations – Real-time Event Feed.
![](https://tungle.ca/wp-content/uploads/2022/04/image-386-1024x523.png)
+ Cisco Router R1.
conf t
logging trap informational
logging host 142.232.197.8 transport udp port 5515
On Splunk.
![](https://tungle.ca/wp-content/uploads/2022/04/image-387-1024x647.png)
Port 5515
![](https://tungle.ca/wp-content/uploads/2022/04/image-388-1024x457.png)
Source type: cisco:asa
App Context: Cisco Suite for Splunk
Method: IP
Index: default.
![](https://tungle.ca/wp-content/uploads/2022/04/image-389.png)
![](https://tungle.ca/wp-content/uploads/2022/04/image-390-1024x409.png)
Back to Router, send sample logs to Splunk.
end
send log "Tung Le"
send log "Tung Le"
![](https://tungle.ca/wp-content/uploads/2022/04/image-391.png)
![](https://tungle.ca/wp-content/uploads/2022/04/image-392-1024x422.png)
![](https://tungle.ca/wp-content/uploads/2022/04/image-393-1024x508.png)
+ On Kali Linux.
sudo su
nano /etc/rsyslog.conf
##Add the following line to the end of the file. The listening port is 5516.
*.* @142.232.198.8:5516
![](https://tungle.ca/wp-content/uploads/2022/04/image-394.png)
Restart rsyslog service.
systemctl restart rsyslog
systemctl status rsyslog
![](https://tungle.ca/wp-content/uploads/2022/04/image-395.png)
Back to Splunk, configure the listening port for the Linux server is 5516
![](https://tungle.ca/wp-content/uploads/2022/04/image-396.png)
source type: Syslog
app context: Apps Browser
![](https://tungle.ca/wp-content/uploads/2022/04/image-397.png)
![](https://tungle.ca/wp-content/uploads/2022/04/image-398-1024x410.png)
Back to Kali, type the command below to generate logs to Splunk.
logger "Tung Le"
![](https://tungle.ca/wp-content/uploads/2022/04/image-399.png)
![](https://tungle.ca/wp-content/uploads/2022/04/image-400-1024x739.png)
+ FortiGate:
Configure FortiGate to send logs to Splunk via the UDP port 5517.
config log syslogd setting
set status enable
set server 142.232.197.8
set port 5517
end
![](https://tungle.ca/wp-content/uploads/2022/04/image-401.png)
Log into FortiGate, and enable the setting below to send logs to Splunk.
![](https://tungle.ca/wp-content/uploads/2022/04/image-402.png)
On Splunk, configure port is 5517.
![](https://tungle.ca/wp-content/uploads/2022/04/image-403.png)
Source type: fgt_log
App Context: FortiGate
Method: IP
Index: Default
![](https://tungle.ca/wp-content/uploads/2022/04/image-404.png)
![](https://tungle.ca/wp-content/uploads/2022/04/image-405-1024x404.png)
Log off FortiGate, type w wrong password to generate logs.
![](https://tungle.ca/wp-content/uploads/2022/04/image-406-1024x555.png)
![](https://tungle.ca/wp-content/uploads/2022/04/image-407-1024x562.png)