Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Is there a config available that would push out the same format as Snare from a Heavy Forwarder?

CletisNPT
Explorer
‎12-13-2017 12:08 PM

Is there a config available that would push out the same format as Snare from a Heavy Forwarder? i.e. UniversalForwarder->HeavyForwarder->ForkTo:

  1. Native windows log gets pushed to the indexer in it's original format from the Universal Forwarder.
  2. A copy has the Snare transform applied and pushed out to a third party syslog server.
0 Karma
Reply

CletisNPT
Explorer
‎12-14-2017 09:02 AM

I'm sure there's a way to do it with the transforms and SEDCMD. Was just curious if anyone had accomplished it yet.

0 Karma
Reply

nickhills
Ultra Champion
‎12-15-2017 02:27 AM

You cant reformat the data which would be sent over a raw socket with a transform - it would always be sent as a 'Splunk Formatted' message, but with a little bit of netcat/grep/awk/sed fun you could probably get the data into any format you like - but probably a PITA!

I have just done a very quick google, and it seems that snare can accept syslog messages so this seems like the way to go.

in your outputs/conf

[syslog]
defaultGroup=syslogGroup

[syslog:syslogGroup]
server = <your syslog server>:514

I think thats all it takes!

If my comment helps, please give it a thumbs up!
0 Karma
Reply

nickhills
Ultra Champion
‎12-20-2017 02:20 AM

Did this help you? If you found it useful, please be sure to accept/upvote any posts which helped, as it provides useful feedback for future viewers of your question. Good luck!

If my comment helps, please give it a thumbs up!
0 Karma
Reply

nickhills
Ultra Champion
‎12-14-2017 12:56 AM

You cant reformat the data, however you can send a copy of the raw event via a TCP socket, or alternatively as Syslog.
I am not familiar with Snare, but it sounds like the second option would be most appropriate for you.

http://docs.splunk.com/Documentation/Splunk/7.0.1/Forwarding/Forwarddatatothird-partysystemsd

If my comment helps, please give it a thumbs up!
0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...