topic Re: How to filter specific logs and send it as syslog to a third-party host in Getting Data In

How to filter specific logs and send it as syslog to a third-party host

LittleFatFish — Wed, 30 Oct 2024 15:10:32 GMT

Hi all,

I want to send logs (which are part from our sourcetype [kube_audit]) from my HeavyForwarder to a third-party system (in my case SIEM) in syslog-format, and only those, which are caught with the regex defined. Everything else should be sent normally to my Indexers. There exists a documentation, but for my use-case there is no further description. (https://docs.splunk.com/Documentation/Splunk/9.1.3/Forwarding/Routeandfilterdatad#Filter_and_route_event_data_to_target_groups , https://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Forwarddatatothird-partysystemsd )

I tried to follow the documentation and tried many things. But I end up with my third-party host receiving ALL logs of my sourcetype [kube_audit] instead only a part of it. I checked my regex, as I suspected this would be my point of failure, but there must be some other configurations I am missing, as in a simple setup, the regex works as it is.

My setup for outputs, transforms and props.conf:

props.conf:

[kube_audit] TRANSFORMS-routing = route_to_sentinel

transforms.conf:

[route_to_sentinel] REGEX = (?<sentinel>"verb":"create".*"impersonatedUser".*"objectRef":\{"resource":"pods".*"subresource":"exec") DEST_KEY = _SYSLOG_ROUTING FORMAT = sentinel_forwarders

outputs.conf:

[tcpout] defaultGroup = my_indexers forwardedindex.filter.disable = true indexAndForward = false useACK = true backoffOnFailure = 5 connectionTTL = 3500 writeTimeout = 100 maxConnectionsPerIndexer = 20 [tcpout:my_indexers] server=<list_of_servers> [syslog] defaultGroup = sentinel_forwarders [syslog:sentinel_forwarders] server = mythirdpartyhost:514 type = udp

Am I missing something? Any notable things I did miss? Any help is appreciated!

Best regards

Re: How to filter specific logs and send it as syslog to a third-party host

gcusello — Thu, 31 Oct 2024 07:22:21 GMT

Hi @LittleFatFish ,

what's your issue: you don't send logs to the third party syslog or you send all your logs?

I experienced both the issues.

I solved the first removing:

defaultGroup = my_indexers

in [tcpout] stanza.

Ciao.

Giuseppe

Re: How to filter specific logs and send it as syslog to a third-party host

LittleFatFish — Thu, 31 Oct 2024 08:12:29 GMT

Hey @gcusello !

Removing this option from my tcpout stanza would cause, that everything else being logged to my indexer, would not be sent anymore by my heavyforwarder.

My main issue is that my third-party host gets sent everything from my sourcetype kube_audit instead only a specific part (which should include everything matching with my regex).

So I have a setup, where my heavyforwarder sends a lot to my indexers in my environment, but now for security purposes, we want to send a specific part through the syslogoutputprocessor to a third-party host, which should receive it on port 514 via UDP. Instead of respecting my regex defined in transforms.conf, it sends everything regarding the sourcetype kube_audit defined in my props.conf (what you would expect if "REGEX = (.)" would do).

Any other way you fixed it?

Thanks for helping

Re: How to filter specific logs and send it as syslog to a third-party host

gcusello — Thu, 31 Oct 2024 08:33:22 GMT

Hi @LittleFatFish ,

in this case, check if the sourcetype in props.conf is correct and especially if it's overrided, maybe when the transformation is applied your events still have the original sourcetype.

Then obviously (but I'm sure that you already did it) check again the regex in transforma.conf.

Ciao.

Giuseppe