topic Re: I am using third party forwarding from Splunk to QRadar but the events are not being displayed correctly. How can I correct this? in Getting Data In

I am using third party forwarding from Splunk to QRadar but the events are not being displayed correctly. How can I correct this?

DerekB — Tue, 25 Sep 2012 22:18:22 GMT

My Splunk setup is a UF sending to an indexer. That indexer is then forwarding everything to QRadar. When I look at the events in QRadar, they are mangled. What I see is each key value pair is its' own event instead of all of the pairs being part of a single event.

Example:

Real event looks like:

09-Sep-2012 14:48:29 AgentDevice=WindowsLog AgentLogFile=Security

But it's getting broke into separate events like this:

Event 1-
09-Sep-2012 14:48:29

Event 2-
AgentDevice=WindowsLogs

Event 3-
AgentLogfile=Security

Why?

Re: I am using third party forwarding from Splunk to QRadar but the events are not being displayed correctly. How can I correct this?

jbsplunk — Tue, 25 Sep 2012 22:23:05 GMT

We've seen this before, and what we noticed was that when we looked at the single line event data the instance was generating, it was all showing up in QRadar normally. The problem turned out to be that QRadar doesn't understand how to deal with multiline events, so each line is handled as an individual event. We confirmed the behavior with the vendor, presently it is a limitation of the product.

Re: I am using third party forwarding from Splunk to QRadar but the events are not being displayed correctly. How can I correct this?

Ayn — Tue, 25 Sep 2012 22:25:48 GMT

Isn't this a QRadar issue rather than a Splunk issue?

Re: I am using third party forwarding from Splunk to QRadar but the events are not being displayed correctly. How can I correct this?

jbsplunk — Tue, 25 Sep 2012 22:30:11 GMT

Yes, but it's good to have documented.

Re: I am using third party forwarding from Splunk to QRadar but the events are not being displayed correctly. How can I correct this?

buttona — Thu, 30 Oct 2014 13:32:05 GMT

Is this something that has been corrected since 2012? We are looking to do the same thing here with SystemOut and http access logs from Splunk indexer to QRadar.

Thanks.

Re: I am using third party forwarding from Splunk to QRadar but the events are not being displayed correctly. How can I correct this?

jmann2118 — Thu, 30 Oct 2014 14:47:52 GMT

You can upgrade to a newer version of Qradar which adds Splunk as a source and fixes this issue

Re: I am using third party forwarding from Splunk to QRadar but the events are not being displayed correctly. How can I correct this?

jcrabb_splunk — Tue, 16 Feb 2016 20:24:50 GMT

Here is a document regarding the Qradar configuration from IBM's site:

http://www-01.ibm.com/support/knowledgecenter/SS42VS_7.2.5/com.ibm.dsm.doc/t_DSM_guide_Splunk_logsource.html%23t_dsm_guide_splunk_logsource

Re: I am using third party forwarding from Splunk to QRadar but the events are not being displayed correctly. How can I correct this?

rajanala — Tue, 29 Sep 2020 09:18:33 GMT

DerekB,
Can you share Splunk configuration details for Forwarding all data from Splunk Indexer to QRadar ?
Will, having just the outputs.conf work?
outputs.conf
[tcpout]
defaultGroup = SIEM_12345
indexAndForward = true
disabled = false

[tcpout:SIEM_12345]
server = SIEM_IP:12345
compressed = true
sendCookedData = true