- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Is there a config available that would push out th...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is there a config available that would push out the same format as Snare from a Heavy Forwarder?
Is there a config available that would push out the same format as Snare from a Heavy Forwarder? i.e. UniversalForwarder->HeavyForwarder->ForkTo:
- Native windows log gets pushed to the indexer in it's original format from the Universal Forwarder.
- A copy has the Snare transform applied and pushed out to a third party syslog server.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm sure there's a way to do it with the transforms and SEDCMD. Was just curious if anyone had accomplished it yet.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You cant reformat the data which would be sent over a raw socket with a transform - it would always be sent as a 'Splunk Formatted' message, but with a little bit of netcat/grep/awk/sed fun you could probably get the data into any format you like - but probably a PITA!
I have just done a very quick google, and it seems that snare can accept syslog messages so this seems like the way to go.
in your outputs/conf
[syslog]
defaultGroup=syslogGroup
[syslog:syslogGroup]
server = <your syslog server>:514
I think thats all it takes!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Did this help you? If you found it useful, please be sure to accept/upvote any posts which helped, as it provides useful feedback for future viewers of your question. Good luck!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You cant reformat the data, however you can send a copy of the raw event via a TCP socket, or alternatively as Syslog.
I am not familiar with Snare, but it sounds like the second option would be most appropriate for you.
http://docs.splunk.com/Documentation/Splunk/7.0.1/Forwarding/Forwarddatatothird-partysystemsd
Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
