Getting Data In

unable to send windows events from splunk server to third party syslog server

cleelakrishna
Loves-to-Learn

tried below configurations to forward the data from SPLUNK server to syslog server(third party) , but no data in syslog server. can you please help me out on this where i'm going wrong

props.conf:

[WinEventLog:Security]
TRANSFORMS-routing = win_security_syslog

[WinEventLog:Application]
TRANSFORMS-routing = win_application_syslog

[WinEventLog:System]
TRANSFORMS-routing = win_system_syslog

transforms.conf :

[win_security_syslog]
REGEX = .
DEST_KEY = _SYSLOG_ROUTING
FORMAT = win_syslog_group

[win_application_syslog]
REGEX = .
DEST_KEY = _SYSLOG_ROUTING
FORMAT = win_syslog_group

[win_system_syslog]
REGEX = .
DEST_KEY = _SYSLOG_ROUTING
FORMAT = win_syslog_group

outputs.conf:

[syslog:win_syslog_group]
server = abc:514
type=udp

Tags (1)
0 Karma

maraman_splunk
Splunk Employee
Splunk Employee

Hi,

I'm afraid there's no easy solution.

your configuration looks good but doesn't apply because winevent log collection is done in a structured way -> so data is going out of your UF already parsed ...
when received later on (on a HF for example which can send syslog) -> splunk doesn't reanalyze the data twice.
but the original UF can't directly send syslog...

so you should :
- keep a uf for collection
- send your data normally up to your indexer(s).
- somewhere between your uf and indexer(s), clone the data (a uf can do it) and send it to 1 or more specialized HF that will do the syslog and other specific things (ie transforms) you'll need to make windows event fit in syslog (because that's not natural to make multiline go in a protocol which is traditionally for one line events...)
- apply your syslog stuff above on the specialized HF/Syslog

look at this post as a guideline
https://answers.splunk.com/answers/5528/forwarding-select-data-in-my-environment.html

beware that you should not modify the settings before cloning as setting the route parameters on input should normally not be modified.(because it's easy to break things this way)

Good luck and happy splunking !

maciep
Champion

do you have that config on a heavy forwarder or indexer? don't believe syslog processing is available on universal forwarder.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...