topic Re: How to filter syslogs to third parties? in Getting Data In

How to filter syslogs to third parties?

gcusello — Fri, 05 May 2023 11:03:03 GMT

Hi everyone,
As usual, I have a strange question:
I need to send a subset of the logs received from an appliance to an external SIEM via syslog, this appliance is a Mobileiron server with a Universal Forwarder embedded in it.
I configured the Heavy Forwarder and sending syslogs works fine.
However, I have the problem that all the logs from the source appliance are sent via syslog and not just a part of them as I would like.
Usually the problem is solved by using _TCP_ROUTING and _SYSLOG_ROUTING in the inputs.conf.
The problem is that the source server is a MobileIron appliance that sends logs through an embedded Universal Forwarder, where I cannot edit the configuration files by hand and therefore cannot enter parameters to select destinations for the various log types.
Can anyone hint to a workaround to send via syslog only two prefixed sourcetypes, keeping sending all logs to Indexers?
Thanks in advance.

Ciao.

Giuseppe

Re: How to filter syslogs to third parties?

VatsalJagani — Mon, 08 May 2023 13:00:40 GMT

@gcusello - Do you mean to send data to Splunk indexes and clone it to a third-party SIEM solution?

Give it a try with the below configuration on the testing environment to see what happens. (Though I still don't understand why you think ROUTING will not work in your case?)

[my_sourcetype] TRANSFORMS-routing = route_to_indexers, route_to_third_party_tool [route_to_indexers] DEST_KEY = _TCP_ROUTING FORMAT = my_indexers [route_to_third_party_tool] DEST_KEY = _SYSLOG_ROUTING FORMAT = my_third_party_tool

Re: How to filter syslogs to third parties?

gcusello — Mon, 08 May 2023 13:58:19 GMT

Hi @VatsalJagani,

thank you for your attention.

as I said, it's a strange situation:

I configured my system as you said and it's sending logs to syslog,

but the problem is that I don't need to send all logs to syslog, but only a part of them and I cannot filter them before sending because _TCP_ROUTING and SYSLOG_ROUTING must be inserted in inputs.conf, but, in my situation, inputs.conf is in a closed appliance so I cannot.

I'm searching for a way to filter logs on the Heavy Forwarder.

Ciao.

Giuseppe

Re: How to filter syslogs to third parties?

VatsalJagani — Mon, 08 May 2023 16:44:43 GMT

@gcusello - You can do _SYSLOG_ROUTING and _TCP_ROUTING with props.conf and transforms.conf as I suggested. That should allow you to do routing on specific sourcetype or source.

Re: How to filter syslogs to third parties?

gcusello — Tue, 09 May 2023 06:38:16 GMT

Hi @VatsalJagani,

this is the procedure described in the Splunk documentation and I tried it, but it didn't work and syslogs weren't sent, I also tried to open a case to Splunk Support for a behavior different than documented but they closed it because they didn't find any issue.

So I added _SYSLOG_ROUTING and _TCP_ROUTING to the tcpinput on the HF, in this way syslogs are sent but the filter doesn't run.

Ciao.

Giuseppe

Re: How to filter syslogs to third parties?

VatsalJagani — Tue, 09 May 2023 10:29:50 GMT

@gcusello

It should work on HF through props/transforms.

Have you tried running tcpdump on receiving server to check? Have you checked Splunk logs?

If the configuration is okay then Splunk HF should send the data according to the documentation. If not its Splunk issue for sure.

Re: How to filter syslogs to third parties?

gcusello — Tue, 09 May 2023 10:40:13 GMT

Hi @VatsalJagani,

I runned tcpdump on the same server and no syslog exits from the HF during my first test (without parameters in inputs.conf),

instead tcpdump displays syslog sending with the inputs.conf configuration.

I'll try again, to be more sure, but I already runned this test.

Ciao and thanks.

Giuseppe