- Splunk Answers
- :
- Splunk Administration
- :
- Deployment Architecture
- :
- Forwarding to a 3rd party
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi All,
We have a Splunk and a LogRhythm set up. The Splunk environment existed first so all our devices send syslog to the Splunk Heavy Forwarders.
We now have a LogRhythm set up as well as a (now smaller) Splunk licence.
What I need to do is continue to send whatever hits the heavy forwarders onto LogRhythm as syslog but also cull down and send only certain sourcetypes onto Splunk. Otherwise we need to change the config on 150 devices.
What I have tried to do is
(i) send default TCPOUT to the null queue then do a routing transform on the sourcetypes we want to keep in Splunk.
This hasn't worked because as soon as I set the default TCPOUT to the null queue then LogRhythm stops getting syslog
(ii) send uncooked data to LogRhythm instead of syslog
This hasn't worked either, can work out why though maybe my config is wrong
Current set up
[tcpout]
defaultGroup = lb
useACK = false
[tcpout:lb]
server = 10.90.90.90:9997, 10.90.90.91:9997, 10.90.90.92:9997
autoLB = true
[syslog]
defaultGroup=LR
[syslog:LR]
server = 10.90.90.100:514
Attempted new set up (i)
*** props.conf ***
[cisco_asa]
TRANSFORMS-routing= splunkRouting
[cisco_router]
TRANSFORMS-routing= splunkRouting
*** transforms.conf ***
[splunkRouting]
REGEX=(.)
DEST_KEY=_TCP_ROUTING
FORMAT=allowedEvents
*** outputs.conf ***
[tcpout]
defaultGroup = lb
useACK = false
indexAndForward = 0
[tcpout:lb]
server = 0.0.0.0:0000
[tcpout:allowedEvents]
defaultGroup = splunk_lb
useACK = false
[tcpout:splunk_lb]
server = 10.90.90.90:9997, 10.90.90.91:9997, 10.90.90.92:9997
autoLB = true
[syslog]
defaultGroup=LR
[syslog:LR]
server = 10.90.90.100:514
This set up when applied stops sending syslog to LogRhtyhm
I have also tried sending uncooked data to LogRhythm as per the below
*** props.conf ***
[cisco_asa]
TRANSFORMS-routing= logrhythmRouting
*** transforms.conf ***
[logrhythmRouting]
REGEX=(.)
DEST_KEY=_TCP_ROUTING
FORMAT=lbsplunk,LR
*** outputs.conf ***
[tcpout]
defaultGroup=LR
useACK = false
[tcpout:LR]
server = 10.90.90.100:9997
sendCookedData=false
[tcpout:splunkserver]
defaultGroup=lbsplunk
[tcpout:lbsplunk]
server = 10.90.90.90:9997, 10.90.90.91:9997, 10.90.90.92:9997
autoLB = true
Would there be any way I could approach this as we want to keep using Splunk for our selected gear and let the others use LogRhythm
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this:
props.conf
[cisco_asa]
TRANSFORMS-routing = logrhythmRouting
transforms.conf
[logrhythmRouting]
REGEX = .
DEST_KEY = _TCP_ROUTING
FORMAT = LR,splunkserver
outputs.conf
[tcpout]
defaultGroup = LR
[tcpout:LR]
server = 10.90.90.100:9997
sendCookedData=false
[tcpout:splunkserver]
server = 10.90.90.90:9997, 10.90.90.91:9997, 10.90.90.92:9997
This should work - it should route everything to LogRhythm, and the cisco_asa sourcetype to both.
You don't need multiple defaultGroup statements to make this work, actually that might even break it.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this:
props.conf
[cisco_asa]
TRANSFORMS-routing = logrhythmRouting
transforms.conf
[logrhythmRouting]
REGEX = .
DEST_KEY = _TCP_ROUTING
FORMAT = LR,splunkserver
outputs.conf
[tcpout]
defaultGroup = LR
[tcpout:LR]
server = 10.90.90.100:9997
sendCookedData=false
[tcpout:splunkserver]
server = 10.90.90.90:9997, 10.90.90.91:9997, 10.90.90.92:9997
This should work - it should route everything to LogRhythm, and the cisco_asa sourcetype to both.
You don't need multiple defaultGroup statements to make this work, actually that might even break it.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks heaps for your help xpac, this works now. I can see traffic heading off to both destinations in packet caps.
Awesome 🙂
Introducing Splunk Enterprise 9.2
Adoption of RUM and APM at Splunk
Routing logs with Splunk OTel Collector for Kubernetes
