Splunk Search

Receive cooked data to index securitylogs

nicocin
Path Finder

We have some Appliances (Open System Webproxy), they can send Splunk cooked data into Splunk.

I want to receive the data to a restricted index (securitylogs).

In a first try I configured the listening port in the Webui, Setting -> Forwarding and receiving -> Configure receiving -> added Port 3514

This was working but it was using the main index. So I've reconfigured it in the app "config_all_indexers":

inputs.conf
[splunktcp://3514]
disabled = 0
index = securitylogs

Then I used the "| delete" function to remove the data from the main index.

Now I dont get any data from the appliances anymore and I've no idea why..

Maybe someone can give me a hint whats the problem of my config?

0 Karma
1 Solution

nicocin
Path Finder

Thank you for the tips.

I've changed nothing but now I'm receiving events.

Unfortunately they go to the main index..

alt text

How can I change that?

View solution in original post

0 Karma

nicocin
Path Finder

Thank you for the tips.

I've changed nothing but now I'm receiving events.

Unfortunately they go to the main index..

alt text

How can I change that?

0 Karma

nicocin
Path Finder

I've found another article that states "The "splunktcp" input is not a data input, but instead an input to listen to Splunk Forwarders."

So I've configured it with props.conf and transforms.conf:

props.conf
[mc_logs]
TRANSFORMS-index=sendtomyindex

transforms.conf
[sendtomyindex]
SOURCE_KEY=_MetaData:Index
DEST_KEY=_MetaData:Index
REGEX=(.*)
FORMAT=securitylogs

Now the data goes to the index "securitylogs".

0 Karma

niemesrw
Path Finder

It sounds like you have it configured properly. I'd take the following steps to troubleshoot what might be going on:

  1. Run tcpdump on the indexer where you have that input & index configured, do you see traffic making its way to that indexer?
  2. Run netstat -an | grep 3514 on the indexer to ensure the port is open & listening
  3. Examine the securitylogs index to ensure it's growing
  4. Run index=* source="tcp:3514" to see if it's going to a different index (you may want to run it on the search heads & the indexers)
  5. Run index=_internal and search for anything relating to the cooked logs or a host configured to send logs to your indexers
0 Karma

woodcock
Esteemed Legend

Did you configure the securitylogs index in indexes.conf on all of your indexers (and then restart them)?

0 Karma

nicocin
Path Finder

It is configured in the app config_all_indexers which is deployed to all indexers.

I've restarted splunkd on all indexers.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...