I am new to Splunk. Need to set up a lab environment where Splunk forwards out events in CEF format. I figured how to send events into Splunk (I think), so my question is mostly about forwarding the events out of Splunk. The data size does not matter (can be small). My questions:
1) Which product and license should I purchase? Can get by with just the free version?
2) How to set up forwarding events in CEF format? Specifically AD events into CEF with certain AD fields.
3) I was given a CEF app configuration, which is supposed to be related to 2) above, but I need help in how to import this config and where.
Unfortunately, I cannot attach it here since I need some karma points for attaching files 😞 . Basically this config includes: app.conf, inputs.conf, limits.conf, outputs.conf, savedsearches.conf.
Thank you!
... View more