Getting Data In

What is best process of sending logs from Splunk to syslogng server ?

splunker969
Communicator

Hi,
We are planning to forward Windows events logs from Splunk to RSA.
https://answers.splunk.com/answers/581066/how-splunk-can-send-data-to-third-party-system-spe.html

We already did the three approaches mentioned above and they were not working. We are trying to send data from Splunk to syslogng server and from there -- RSA collects data?

Is there any process of sending logs from Splunk to syslogng server?

Any help, please?

s2_splunk
Splunk Employee
Splunk Employee

You can take a look at this app and its documentation to see if that would help you meet your needs. It's a search-based approach to forward data via SYSLOG specifically built for 3rd-party SIEM integrations.

That aside: If you followed the documentation here and it didn't work for you, can you explain what issue you were experiencing? Maybe we can collectively get you on the right track.

splunker969
Communicator

Hi SSievert ,

We are now seeing traffic leave our Indexers when monitoring the interface via tcpdump . However RSA is not able to parse the data, even though the field mappings appear correct and in line with CEF standards template.

We suspect this may be because there is no priority value at the beginning of these events (which RSA needs apparently

From what I can see, the Splunk app for CEF configures the output.conf to use tcpout as the processor (instead of syslog). Could you confirm if this is correct and if so, would it be possible to change this to syslog?

Would really appreciate any help and support you can provide in this matter@ssievert

Thanks.

0 Karma

s2_splunk
Splunk Employee
Splunk Employee

Can you share the outputs.conf?
Do you have a section that looks like this:
[syslog:myRSAservers]
type=tcp
priority=nn
etc.
as documented here?

0 Karma

splunker969
Communicator

I believe app only build to send data tcp routing @ssievert .Also please find below outputs.conf
[tcpout:RSA_Netwitness]
Server =ip:port
blockONClonning= 5
sendCookedData=false

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...