All Apps and Add-ons

Forwarding events from Splunk DB Connect and Splunk OPSEC LEA

nryagin
Explorer

Hi there,

I'm trying to set up forwarding from Splunk to 3rd party tool and I spent a lot of time searching for the answer on my question why Splunk doesn't forward events which are collected by using Splunk OPSEC LEA Connector or Splunk DB Connect. Other events like Windows Events which are collected by SUF are forwarded fine to 3rd party.

I've reread a lot of times Splunk Docs but I didn't found any issue on my side

My schema installation looks like:

Heavy Forwarder with installed Splunk OPSEC LEA and Splunk DB Connect >
Indexers with config files shown below >
3rd party tool

I've got the following configuration files:

props.conf
`[WinEventLog:Security]
TRANSFORMS-routing = dst_2024
[WinEventLog:System]
TRANSFORMS-routing = dst_2024
[WinEventLog:Application]
TRANSFORMS-routing = dst_2024

[opsec]
TRANSFORMS-opsec = dst_2025
[opsec:vpn]
TRANSFORMS-routing = dst_2025
[opsec:smartdefense]
TRANSFORMS-routing = dst_2025`

transforms.conf
[dst_2024]
REGEX = .
DEST_KEY = _TCP_ROUTING
FORMAT = dst-sensor-2024
[dst_2025]
REGEX = .
DEST_KEY = _TCP_ROUTING
FORMAT = dst-sensor-2025

outputs.conf
`[tcpout]
defaultGroup = nothing
indexAndForward = 1

Windows

[tcpout:dst-sensor-2024]
disabled = false
server = XX.XX.XX.XX:2024
sendCookedData = false
dropEventsOnQueueFull = 1

Checkpoint

[tcpout:dst-sensor-2025]
disabled = false
server = XX.XX.XX.XX:2025
sendCookedData = false
dropEventsOnQueueFull = 1`

Does someone have any idea what sort of mistake was made by me or it might be a bug?
I've tried to set up CheckPoint input on Indexer and I found that Splunk started forwarded data but I still don't understand what the problem.

0 Karma
1 Solution

nryagin
Explorer
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...