Hello,
I'm trying to send windows events using an Universal Forwarder to a 3rd party system.
I configured outputs.conf as shown below:
[tcpout]
defaultGroup = primary_indexers
[tcpout:primary_indexers]
server = indexer1:9997,indexer2:9997, etc
autoLB = true
compressed = true
[tcpout:exernal]
server=10.10.10.10:514
sendCookedData=false
The forwarder has an inputs.conf which looks for WinEvent:Security. The events are reaching the splunk indexers successfully...but not the 3rd party server. The 3rd party server is only receiving splunk internal events, which tells me that the outputs.conf stanza is correct and i have connectivity between the 2 machines.
Is there anything specific i need to configure in order to forward the windows events to the 3rd party server as well? I only need to send the raw events, no other parsing/transformation is needed. Any suggestion would be highly appreciated.
Thanks!
Hi raduand,
as described at http://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Forwarddatatothird-partysystemsd , you should try to delete (or comment) the first stanza in outputs.conf
[tcpout]
defaultGroup = primary_indexers
Bye.
Giuseppe
Hi raduand,
as described at http://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Forwarddatatothird-partysystemsd , you should try to delete (or comment) the first stanza in outputs.conf
[tcpout]
defaultGroup = primary_indexers
Bye.
Giuseppe
Thanks! Now it's sending something but the windows events are multi-line and i'd like to receive the full event in a single line on the 3rd party destination. Is that possible?
Hi raduand,
I don't think that it's possible because you're sending uncooked data, you should parse data in the destination system to aggregate rows in a single log, or use cooked data and parse them in the destination system.
Bye.
Giuseppe
Cool, then i believe i need to use an intermediate Heavy Forwarder to parse the logs then forward them to the 3rd party destination.
Thanks a lot and best regards,
Andrei
I am having the same problem, did you get this to work??? Thanks
We are trying to do something similar but we want the UF to send the same data to both our indexer group and the third party system. Is this possible? we configured the _TCP_ROUTING property to use both tcpout stanzas for indexer-gorup and secops-server but the data in the secops-server is not correct. It looks as though its just internal splunk logs/metrics from the UF and not windows event logs.
Hi vonsolo29,
did you inserted the option sendCookedData=false
in the outputs.conf's external stanza?
in addition, you have to modify also the other inputs.conf, probably you're sending also the Splunk internal logs.
Bye.
Giuseppe
this is what i have in the outputs
[tcpout]
defaultGroup = indexer-group
[tcpout:indexer-group]
server = SPLUNKINDEXERSERVER:9997,SPLUNKINDEXERSERVER:9997,SPLUNKINDEXERSERVER:9997
[tcpout:thirdpartytest-system]
server = THIRDPARYSERVER:5114
sendCookedData = false
this is what the inputs shows:
[WinEventLog://Security]
disabled = 0
index = wineventlog
_TCP_ROUTING = indexer-group,thirdpartytest-system