Getting Data In

How to forward logs of a specific source to a third-party, non-Splunk system using a certificate?

rgb22
New Member

Hello guys,

we are working with a Heavy forwarder and its receiving logs from a lot of sources and of course sending them into a Splunk Indexer. However, now I'm trying add the functionality to forward (firewall) logs of a specific sourcetype via syslog to another instance which is not from Splunk using a certificate.

I tried the steps of the documentation but i wasn't able to do it work properly. Can you give me some help with this please?

PD: The documentation i was using: http://docs.splunk.com/Documentation/Splunk/6.5.2/Forwarding/Forwarddatatothird-partysystemsd

Thanks you in advance

0 Karma

mwdbhyat
Builder

Can you describe more about the issue you are facing ? Is there an error you are getting or is it just not forwarding anything ?

0 Karma

rgb22
New Member

Thanks for your response.

I'm receiving firewall logs into a heavy forwarder and i need to send those logs to 1) Splunk indexers and 2) McAfee SIEM using certificate for the second. but i have no idea how to do it, I tried to send syslogs to another instance and it worked but i dont know how to do it using certificate. Ofcourse it needs to be a certificate who can work with splunk and mcfee

0 Karma

mwdbhyat
Builder

So the issue lies with the certificates then and not the forwarding/routing ?

0 Karma

rgb22
New Member

Yes, thats exactly my issue.

In addition: I was making some test and i was able to send those logs to another instance but if you have a guide like "better practices" to do this, i would be very grateful.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...