Solved: Is it possible to send logs in CEF format or raw l...

gcusello · ‎02-10-2016

Hi at all,

I have to send logs to a third party system by syslog.
I configured my system and I'm able to send events to a third party system, but the receiver needs to have logs in raw or CEF format and Splunk sends syslogs in a different format.

Is it possible to change the logs format or to send raw logs by syslog?

Thank you.
Bye.
Giuseppe

bobnieuwenhuis · ‎02-18-2016

Guiseppe,

You could use App for CEF https://splunkbase.splunk.com/app/1847/
We are using it to send data in CEF format to ArcSight, only downside to this is, you have to use a standalone searchhead, as you can't use it in a searchheadcluster.

Hope this answers your question.
Bob

View solution in original post

bobnieuwenhuis · ‎02-18-2016

Guiseppe,

You could use App for CEF https://splunkbase.splunk.com/app/1847/
We are using it to send data in CEF format to ArcSight, only downside to this is, you have to use a standalone searchhead, as you can't use it in a searchheadcluster.

Hope this answers your question.
Bob

harehabibi · ‎03-11-2019

hi
after installation App fo CEF , how config outputs.conf (\Splunk\etc\apps\splunk_app_cef\default\outputs.conf) and other config file
i want to send some log generated by Splunk_stream to arcsight
on

Shyngys_Bolatbe · ‎02-16-2018

How to save new field, which created with |cefkv command?
When I don't use |cefkv command my new fileds disappear.
I want to save fields in index with events

Shyngys_Bolatbe · ‎02-16-2018

How to save new field, which created with |cefkv command?
When I don't use |cefkv command my new fileds disappear.
I want to save fields in index with events

Is it possible to send logs in CEF format or raw logs by syslog from Splunk to a third party system?

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!