topic Re: Syslog Forwarding Filtering in Getting Data In

Syslog Forwarding Filtering

tsocyberoperati — Tue, 24 Sep 2024 18:31:32 GMT

Hello,

Imagine you have hundreds of Windows Universal Forwarders each sending three sources to your "Heavy Forwarders" then forwarded to the Indexers.

Imagine you want to send just one of the sources, source A, of one of those Universal Forwarders, host A, via Syslog to a 3rd Party.

Is there an "elegant way" of filtering just that specific source of that specific host to be sent via syslog on the "Heavy Forwarders"/Indexers?

Thank you

Re: Syslog Forwarding Filtering

gcusello — Wed, 25 Sep 2024 06:29:14 GMT

Hi @tsocyberoperati ,

you have to follow the instructions at https://docs.splunk.com/Documentation/Splunk/9.3.1/Forwarding/Forwarddatatothird-partysystemsd#Forward_a_subset_of_data

in props.conf

[host::hostA] TRANSFORMS-hostA = send_to_syslog

in transforms.conf

[send_to_syslog] REGEX = . DEST_KEY = _SYSLOG_ROUTING FORMAT = my_syslog_group

where my_syslog_group is the stanza in outputs.conf.

Ciao.

Giuseppe

Re: Syslog Forwarding Filtering

tsocyberoperati — Wed, 25 Sep 2024 09:18:52 GMT

Thank you Giuseppe.

But the problem is related to filtering just one of the sources of that host.

If you place a REGEX that is able to catch only the events of that specific source, you're good to go.

But imagine you don't have a REGEX that can catch all the events of that source. how can you filter?

Re: Syslog Forwarding Filtering

PickleRick — Wed, 25 Sep 2024 19:05:06 GMT

You _probably_ (haven't tested it myself but I don't see why it shouldn't work) could do it using INGEST_EVAL.

Something like

[host::hostA] TRANSFORMS-hostA = send_to_syslog

[send_to_syslog] REGEX = . INGEST_EVAL = _SYSLOG_ROUTING=if(source="whatever","my_syslog_group",null())

EDIT: OK, there is obvously a much easier way I forgot about.

[send_to_syslog] REGEX = /somewhere/my/source/file.txt SOURCE_KEY = MetaData:Source DEST_KEY = _SYSLOG_ROUTING FORMAT = my_syslog_group

Re: Syslog Forwarding Filtering

gcusello — Wed, 25 Sep 2024 12:43:51 GMT

Hi @tsocyberoperati ,

in props.conf you can choose a source or an host to filter.

If choosing the source, you can find with a regex the hostname in your logs you can solve your issue:

e.g. if your source is "/opt/tmp/files/myfile.txt" and the host name is contained in the logs and it's "my_host", you could try:

in props.conf

[source::/opt/tmp/files/myfile.txt] TRANSFORMS-hostA = send_to_syslog

in transforms.conf

[send_to_syslog] REGEX = my_host DEST_KEY = _SYSLOG_ROUTING FORMAT = my_syslog_group

The only limit is that the hostname must be contained in all events..

Ciao.

Giuseppe

Re: Syslog Forwarding Filtering

PickleRick — Wed, 25 Sep 2024 19:00:41 GMT

This is not a reliable way. If any other host mentions the host we're after, such event will get routed to syslog...

Re: Syslog Forwarding Filtering

gcusello — Thu, 26 Sep 2024 06:37:27 GMT

Hi @tsocyberoperati ,

the @PickleRick 's hint is correct, but you can use this approach finding a correct regex to identify the hosts.

Ciao.

Giuseppe