https://community.splunk.com/t5/Deployment-Architecture/Forwarding-to-a-3rd-party/m-p/374585#M13756 <P>Hi All, </P> <P>We have a Splunk and a LogRhythm set up. The Splunk environment existed first so all our devices send syslog to the Splunk Heavy Forwarders. <BR /> We now have a LogRhythm set up as well as a (now smaller) Splunk licence. </P> <P>What I need to do is continue to send whatever hits the heavy forwarders onto LogRhythm as syslog but also cull down and send only certain sourcetypes onto Splunk. Otherwise we need to change the config on 150 devices.</P> <P>What I have tried to do is <BR /> (i) send default TCPOUT to the null queue then do a routing transform on the sourcetypes we want to keep in Splunk.<BR /> This hasn't worked because as soon as I set the default TCPOUT to the null queue then LogRhythm stops getting syslog</P> <P>(ii) send uncooked data to LogRhythm instead of syslog <BR /> This hasn't worked either, can work out why though maybe my config is wrong</P> <P>Current set up </P> <PRE><CODE>[tcpout] defaultGroup = lb useACK = false [tcpout:lb] server = 10.90.90.90:9997, 10.90.90.91:9997, 10.90.90.92:9997 autoLB = true [syslog] defaultGroup=LR [syslog:LR] server = 10.90.90.100:514 </CODE></PRE> <P>Attempted new set up (i)</P> <PRE><CODE>*** props.conf *** [cisco_asa] TRANSFORMS-routing= splunkRouting [cisco_router] TRANSFORMS-routing= splunkRouting *** transforms.conf *** [splunkRouting] REGEX=(.) DEST_KEY=_TCP_ROUTING FORMAT=allowedEvents *** outputs.conf *** [tcpout] defaultGroup = lb useACK = false indexAndForward = 0 [tcpout:lb] server = 0.0.0.0:0000 [tcpout:allowedEvents] defaultGroup = splunk_lb useACK = false [tcpout:splunk_lb] server = 10.90.90.90:9997, 10.90.90.91:9997, 10.90.90.92:9997 autoLB = true [syslog] defaultGroup=LR [syslog:LR] server = 10.90.90.100:514 </CODE></PRE> <P>This set up when applied stops sending syslog to LogRhtyhm</P> <P>I have also tried sending uncooked data to LogRhythm as per the below</P> <PRE><CODE>*** props.conf *** [cisco_asa] TRANSFORMS-routing= logrhythmRouting *** transforms.conf *** [logrhythmRouting] REGEX=(.) DEST_KEY=_TCP_ROUTING FORMAT=lbsplunk,LR *** outputs.conf *** [tcpout] defaultGroup=LR useACK = false [tcpout:LR] server = 10.90.90.100:9997 sendCookedData=false [tcpout:splunkserver] defaultGroup=lbsplunk [tcpout:lbsplunk] server = 10.90.90.90:9997, 10.90.90.91:9997, 10.90.90.92:9997 autoLB = true </CODE></PRE> <P>Would there be any way I could approach this as we want to keep using Splunk for our selected gear and let the others use LogRhythm </P> Thu, 03 May 2018 08:46:44 GMT dthompsonsplunk 2018-05-03T08:46:44Z https://community.splunk.com/t5/Deployment-Architecture/Forwarding-to-a-3rd-party/m-p/374585#M13756 <P>Hi All, </P> <P>We have a Splunk and a LogRhythm set up. The Splunk environment existed first so all our devices send syslog to the Splunk Heavy Forwarders. <BR /> We now have a LogRhythm set up as well as a (now smaller) Splunk licence. </P> <P>What I need to do is continue to send whatever hits the heavy forwarders onto LogRhythm as syslog but also cull down and send only certain sourcetypes onto Splunk. Otherwise we need to change the config on 150 devices.</P> <P>What I have tried to do is <BR /> (i) send default TCPOUT to the null queue then do a routing transform on the sourcetypes we want to keep in Splunk.<BR /> This hasn't worked because as soon as I set the default TCPOUT to the null queue then LogRhythm stops getting syslog</P> <P>(ii) send uncooked data to LogRhythm instead of syslog <BR /> This hasn't worked either, can work out why though maybe my config is wrong</P> <P>Current set up </P> <PRE><CODE>[tcpout] defaultGroup = lb useACK = false [tcpout:lb] server = 10.90.90.90:9997, 10.90.90.91:9997, 10.90.90.92:9997 autoLB = true [syslog] defaultGroup=LR [syslog:LR] server = 10.90.90.100:514 </CODE></PRE> <P>Attempted new set up (i)</P> <PRE><CODE>*** props.conf *** [cisco_asa] TRANSFORMS-routing= splunkRouting [cisco_router] TRANSFORMS-routing= splunkRouting *** transforms.conf *** [splunkRouting] REGEX=(.) DEST_KEY=_TCP_ROUTING FORMAT=allowedEvents *** outputs.conf *** [tcpout] defaultGroup = lb useACK = false indexAndForward = 0 [tcpout:lb] server = 0.0.0.0:0000 [tcpout:allowedEvents] defaultGroup = splunk_lb useACK = false [tcpout:splunk_lb] server = 10.90.90.90:9997, 10.90.90.91:9997, 10.90.90.92:9997 autoLB = true [syslog] defaultGroup=LR [syslog:LR] server = 10.90.90.100:514 </CODE></PRE> <P>This set up when applied stops sending syslog to LogRhtyhm</P> <P>I have also tried sending uncooked data to LogRhythm as per the below</P> <PRE><CODE>*** props.conf *** [cisco_asa] TRANSFORMS-routing= logrhythmRouting *** transforms.conf *** [logrhythmRouting] REGEX=(.) DEST_KEY=_TCP_ROUTING FORMAT=lbsplunk,LR *** outputs.conf *** [tcpout] defaultGroup=LR useACK = false [tcpout:LR] server = 10.90.90.100:9997 sendCookedData=false [tcpout:splunkserver] defaultGroup=lbsplunk [tcpout:lbsplunk] server = 10.90.90.90:9997, 10.90.90.91:9997, 10.90.90.92:9997 autoLB = true </CODE></PRE> <P>Would there be any way I could approach this as we want to keep using Splunk for our selected gear and let the others use LogRhythm </P> Thu, 03 May 2018 08:46:44 GMT https://community.splunk.com/t5/Deployment-Architecture/Forwarding-to-a-3rd-party/m-p/374585#M13756 dthompsonsplunk 2018-05-03T08:46:44Z https://community.splunk.com/t5/Deployment-Architecture/Forwarding-to-a-3rd-party/m-p/374586#M13757 <P>Try this:</P> <P><CODE>props.conf</CODE></P> <PRE><CODE>[cisco_asa] TRANSFORMS-routing = logrhythmRouting </CODE></PRE> <P><CODE>transforms.conf</CODE></P> <PRE><CODE>[logrhythmRouting] REGEX = . DEST_KEY = _TCP_ROUTING FORMAT = LR,splunkserver </CODE></PRE> <P><CODE>outputs.conf</CODE></P> <PRE><CODE>[tcpout] defaultGroup = LR [tcpout:LR] server = 10.90.90.100:9997 sendCookedData=false [tcpout:splunkserver] server = 10.90.90.90:9997, 10.90.90.91:9997, 10.90.90.92:9997 </CODE></PRE> <P>This should work - it should route everything to LogRhythm, and the <CODE>cisco_asa</CODE> sourcetype to both.<BR /> You don't need multiple <CODE>defaultGroup</CODE> statements to make this work, actually that might even break it.</P> Thu, 03 May 2018 16:59:57 GMT https://community.splunk.com/t5/Deployment-Architecture/Forwarding-to-a-3rd-party/m-p/374586#M13757 xpac 2018-05-03T16:59:57Z https://community.splunk.com/t5/Deployment-Architecture/Forwarding-to-a-3rd-party/m-p/374587#M13758 <P>Thanks heaps for your help xpac, this works now. I can see traffic heading off to both destinations in packet caps.</P> <P>Awesome <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span> </P> Mon, 07 May 2018 09:28:30 GMT https://community.splunk.com/t5/Deployment-Architecture/Forwarding-to-a-3rd-party/m-p/374587#M13758 dthompsonsplunk 2018-05-07T09:28:30Z