topic Splunk audit log in syslog output in Getting Data In

Splunk audit log in syslog output

adamw — Thu, 20 May 2010 01:54:41 GMT

I have my splunk instance set up to receive data on a TCP port, sourcetype it, then output it with to a Splunk receiver using the forwarder/receiver configuration. Everything is okay with that, my problem comes in when I try to configure a syslog output, as talked about http://www.splunk.com/base/Documentation/4.1.2/Admin/Forwarddatatothird-partysystems and http://www.splunk.com/base/Documentation/4.0/Admin/ForwardtosyslogorHTTP

The remote server receives the data as I intended, but it also receives a whole bunch of Splunk audit events, particularly whenever a user uses the web interface.

outputs.conf:

[syslog]
defaultGroup=logserver

[syslog:logserver]
server = logserver:12345
type = tcp
sendCookedData = false

props.conf:

[to-be-syslogged]
TRANSFORMS-syslog = send_to_syslog

transforms.conf:

[send_to_syslog]
REGEX = .*
DEST_KEY = _SYSLOG_ROUTING
FORMAT = logserver

It is my understanding that the bracket inside of props.conf specifies the sourcetype that I would like output to syslog. I have also tried host::* (and various iterations of server names), and source::tcp:5557 (the port that these particular entries are coming in on) to no avail.

The logs I am seeing on my syslog server include the logs I am looking for, but also have multiple entries such as:

<13>Audit:[timestamp=05-19-2010 14:52:32.090, user=admin, action=admin_all_objects, info=granted ][n/a]

Any ideas?

Thanks

Re: Splunk audit log in syslog output

carmackd — Tue, 06 Jul 2010 20:42:02 GMT

Had the same problem. If you are using a regular forwarder (not a lightweight), you need to configure the indexer to receive the data using splunktcp instead of tcp. You can either user the default splunktcp port 9997, or add a new one. To add a new splunktcp to the indexer, navigate to: Manager >> Forwarding and Receiving >> Receive Data >> add new. Specify the port number. You will need to configure the forwarder to set sourcetype.

From the input.conf documentation

[splunktcp://:]
* This is the same as TCP, except the remote server is assumed to be a Splunk server.

Worked for me!

Re: Splunk audit log in syslog output

Lowell — Tue, 06 Jul 2010 23:18:03 GMT

Correction: Events coming from either normal splunk forwarders or lightweight splunk forwarders should both be received using the splunktcp input.

Re: Splunk audit log in syslog output

ftk — Wed, 21 Jul 2010 00:28:56 GMT

Am I reading this correctly in that you are doing Server -> Syslog -> Splunk Forwarder -> Syslog -> Splunk Indexer?

Re: Splunk audit log in syslog output

adamw — Wed, 28 Jul 2010 23:06:02 GMT

definitely not, just raw TCP stream -> splunk -> syslog

Re: Splunk audit log in syslog output

stephanbuys — Tue, 24 Aug 2010 20:26:59 GMT

Have you tried removing:

[syslog]
defaultGroup=logserver

from your outputs.conf?

As I read it and from my own experience it might change the behaviour from what you intend. Otherwise it looks good. If all else fails you can use REGEX = to negate certain log entries.