Splunk

  • Published on Apr 29, 2026
  • 3 minute(s) read
  • CD
  • j
 Prev Next

The Nasuni Connector for Splunk enables security and operations teams to monitor, investigate, and respond to storage-related events across their Nasuni environment. By ingesting and parsing syslog data from Nasuni Edge Appliances and the Nasuni Management Console (NMC), the app normalizes and enriches events for efficient search, correlation, and integration with Splunk SOAR workflows.

Overview

The Nasuni Connector for Splunk, when installed, automatically parses matching syslog messages and assigns key names to the relevant fields. It is available for installation from Splunkbase.

Configure the Nasuni Connector for Splunk

Step 1 — Install the app from Splunkbase

  1. Log in to your Splunk instance and navigate to Apps in the top navigation bar.

  2. Click Find More Apps to open the Splunkbase browser, then search for Nasuni.

  3. Select the Nasuni app from the results and click Install. Splunk prompts for your Splunkbase credentials if not already authenticated.

  4. Once installed, restart Splunk if prompted. The app appears in your Apps list.

Step 2 — Enable the syslog listener

  1. In Splunk, go to Settings → Data Inputs → UDP and click New Local UDP.

  2. Enter 514 or another available port number. Set the source type to syslog and assign an appropriate index (e.g., default).

  3. Save the input. Refer to the Splunk documentation on monitoring TCP and UDP ports for detailed guidance and platform-specific notes.

Note: On Linux, Splunk must run as root (or have elevated privileges) to bind to ports below 1024. If port 514 is already in use by the OS syslog daemon (rsyslog/syslogd), disable that service's network listener first, or configure a port redirect from 514 to a higher port such as 5514.

Step 3 — Configure the Nasuni Edge Appliance

Before proceeding, ensure the selected UDP/TCP port (for example, 514) is open between each Edge Appliance and your Splunk instance.

Enable syslog export (NMC)

  1. Log in to the Nasuni Management Console (NMC).

  2. Go to Filers → Filer Settings → Syslog Export Settings in the left navigation.

  3. Select the Edge Appliance(s) you want to configure and click Edit Filers.

  4. Under Syslog Export, enable syslog and enter the IP address or hostname of your Splunk instance as the syslog destination. If the port is not 514, specify as host:port.

  5. Toggle on the Send Auditing Messages, Send Notification Messages, and Lowest Log Level → Info.

  6. Save your changes. The Edge Appliance begins forwarding generic Edge and NMC events to Splunk. Refer to the Nasuni NMC Guide - Syslog Export Settings for detailed guidance.

(Optional) Enable volume auditing for filesystem audit events (NMC)

  1. In the NMC, go to Volumes → Auditing under Volume Services.

  2. Select the volume to audit and click Edit Volumes.

  3. Set Auditing Enabled to On and select the event types to track. For ransomware coverage, include Delete, Rename, and Security.

  4. Enable Send Audit messages to syslog and save. Filesystem audit events are now included in the syslog stream sent to Splunk. Refer to the Nasuni NMC Guide - File System Auditing for detailed guidance.

Note: Ransomware protection alerts and antivirus detection alerts are forwarded automatically once syslog export is enabled — no additional configuration is required for those event types.

Troubleshooting

No events appear in Splunk

  • Verify the UDP port for data input is enabled in Settings → Data Inputs → UDP.

  • Confirm Splunk is running with sufficient privileges to listen on that port (root/admin on Linux).

  • Check that no other process (rsyslog, syslogd) is already occupying port 514 — run netstat -nlup on Linux to verify.

  • Test network connectivity between the Nasuni Edge Appliance and the Splunk host over UDP/TCP (for example, port 514).

Events are arriving, but not parsing correctly

  • Confirm the sourcetype is set to syslog on the UDP data input.

  • Verify that the Nasuni app is installed on the same Splunk instance that receives the data, not just the search head.

  • Restart Splunk after installation if this step was skipped.

Filesystem audit events missing

  • Volume auditing must be enabled per volume in the NMC — confirm it is enabled for each volume you expect to see events from.

  • Check that Send Audit messages to syslog is enabled in the volume auditing settings.

  • Verify that the desired audit event types (Delete, Rename, Security, and so forth) are selected.

Ransomware or antivirus alerts are missing

  • Confirm syslog export is enabled and pointing to the correct Splunk IP address or hostname in NMC → Filers → Notifications.

  • These alerts are generated by Nasuni's Ransomware Protection engine. Verify the relevant Nasuni features (Ransomware Protection, antivirus  scanning) are licensed and active on the appliance.

General checks

  • Ensure firewall rules allow UDP/TCP traffic on port 514 from all Edge Appliances to the Splunk instance.

  • If running Splunk Cloud, direct UDP inputs are not supported; a forwarder instance must be used as an intermediary to receive syslog and forward it to the cloud instance.

  • After any configuration change in the NMC, allow a few minutes for events to begin flowing.

Related articles