topic Re: How to send Windows events to a third-party server using Splunk Universal Forwarder? in Getting Data In https://community.splunk.com/t5/Getting-Data-In/How-to-send-Windows-events-to-a-third-party-server-using-Splunk/m-p/299703#M56700 <P>I am having the same problem, did you get this to work??? Thanks</P> Tue, 02 Oct 2018 14:05:05 GMT Log_wrangler 2018-10-02T14:05:05Z How to send Windows events to a third-party server using Splunk Universal Forwarder? https://community.splunk.com/t5/Getting-Data-In/How-to-send-Windows-events-to-a-third-party-server-using-Splunk/m-p/299698#M56695 <P>Hello,</P> <P>I'm trying to send windows events using an Universal Forwarder to a 3rd party system.</P> <P>I configured outputs.conf as shown below:</P> <P><STRONG><EM>[tcpout]<BR /> defaultGroup = primary_indexers</EM></STRONG></P> <P><STRONG><EM>[tcpout:primary_indexers]<BR /> server = indexer1:9997,indexer2:9997, etc<BR /> autoLB = true<BR /> compressed = true</EM></STRONG></P> <P><STRONG><EM>[tcpout:exernal]<BR /> server=10.10.10.10:514<BR /> sendCookedData=false</EM></STRONG></P> <P>The forwarder has an inputs.conf which looks for WinEvent:Security. The events are reaching the splunk indexers successfully...but not the 3rd party server. The 3rd party server is only receiving splunk internal events, which tells me that the outputs.conf stanza is correct and i have connectivity between the 2 machines. </P> <P>Is there anything specific i need to configure in order to forward the windows events to the 3rd party server as well? I only need to send the raw events, no other parsing/transformation is needed. Any suggestion would be highly appreciated.</P> <P>Thanks!</P> Thu, 24 Aug 2017 07:17:20 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-send-Windows-events-to-a-third-party-server-using-Splunk/m-p/299698#M56695 raduand 2017-08-24T07:17:20Z Re: How to send Windows events to a third-party server using Splunk Universal Forwarder? https://community.splunk.com/t5/Getting-Data-In/How-to-send-Windows-events-to-a-third-party-server-using-Splunk/m-p/299699#M56696 <P>Hi raduand,<BR /> as described at <A href="http://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Forwarddatatothird-partysystemsd">http://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Forwarddatatothird-partysystemsd</A> , you should try to delete (or comment) the first stanza in outputs.conf</P> <PRE><CODE>[tcpout] defaultGroup = primary_indexers </CODE></PRE> <P>Bye.<BR /> Giuseppe</P> Thu, 24 Aug 2017 08:07:51 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-send-Windows-events-to-a-third-party-server-using-Splunk/m-p/299699#M56696 gcusello 2017-08-24T08:07:51Z Re: How to send Windows events to a third-party server using Splunk Universal Forwarder? https://community.splunk.com/t5/Getting-Data-In/How-to-send-Windows-events-to-a-third-party-server-using-Splunk/m-p/299700#M56697 <P>Thanks! Now it's sending something but the windows events are multi-line and i'd like to receive the full event in a single line on the 3rd party destination. Is that possible?</P> Thu, 24 Aug 2017 11:05:50 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-send-Windows-events-to-a-third-party-server-using-Splunk/m-p/299700#M56697 raduand 2017-08-24T11:05:50Z Re: How to send Windows events to a third-party server using Splunk Universal Forwarder? https://community.splunk.com/t5/Getting-Data-In/How-to-send-Windows-events-to-a-third-party-server-using-Splunk/m-p/299701#M56698 <P>Hi raduand,<BR /> I don't think that it's possible because you're sending uncooked data, you should parse data in the destination system to aggregate rows in a single log, or use cooked data and parse them in the destination system.<BR /> Bye.<BR /> Giuseppe</P> Fri, 25 Aug 2017 08:53:13 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-send-Windows-events-to-a-third-party-server-using-Splunk/m-p/299701#M56698 gcusello 2017-08-25T08:53:13Z Re: How to send Windows events to a third-party server using Splunk Universal Forwarder? https://community.splunk.com/t5/Getting-Data-In/How-to-send-Windows-events-to-a-third-party-server-using-Splunk/m-p/299702#M56699 <P>Cool, then i believe i need to use an intermediate Heavy Forwarder to parse the logs then forward them to the 3rd party destination.</P> <P>Thanks a lot and best regards,<BR /> Andrei</P> Fri, 25 Aug 2017 08:55:09 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-send-Windows-events-to-a-third-party-server-using-Splunk/m-p/299702#M56699 raduand 2017-08-25T08:55:09Z Re: How to send Windows events to a third-party server using Splunk Universal Forwarder? https://community.splunk.com/t5/Getting-Data-In/How-to-send-Windows-events-to-a-third-party-server-using-Splunk/m-p/299703#M56700 <P>I am having the same problem, did you get this to work??? Thanks</P> Tue, 02 Oct 2018 14:05:05 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-send-Windows-events-to-a-third-party-server-using-Splunk/m-p/299703#M56700 Log_wrangler 2018-10-02T14:05:05Z Re: How to send Windows events to a third-party server using Splunk Universal Forwarder? https://community.splunk.com/t5/Getting-Data-In/How-to-send-Windows-events-to-a-third-party-server-using-Splunk/m-p/299704#M56701 <P>We are trying to do something similar but we want the UF to send the same data to both our indexer group and the third party system. Is this possible? we configured the _TCP_ROUTING property to use both tcpout stanzas for indexer-gorup and secops-server but the data in the secops-server is not correct. It looks as though its just internal splunk logs/metrics from the UF and not windows event logs. </P> Tue, 29 Sep 2020 22:44:34 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-send-Windows-events-to-a-third-party-server-using-Splunk/m-p/299704#M56701 vonsolo29 2020-09-29T22:44:34Z Re: How to send Windows events to a third-party server using Splunk Universal Forwarder? https://community.splunk.com/t5/Getting-Data-In/How-to-send-Windows-events-to-a-third-party-server-using-Splunk/m-p/299705#M56702 <P>Hi vonsolo29,<BR /> did you inserted the option <CODE>sendCookedData=false</CODE> in the outputs.conf's external stanza?<BR /> in addition, you have to modify also the other inputs.conf, probably you're sending also the Splunk internal logs.<BR /> Bye.<BR /> Giuseppe</P> Fri, 11 Jan 2019 07:53:19 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-send-Windows-events-to-a-third-party-server-using-Splunk/m-p/299705#M56702 gcusello 2019-01-11T07:53:19Z Re: How to send Windows events to a third-party server using Splunk Universal Forwarder? https://community.splunk.com/t5/Getting-Data-In/How-to-send-Windows-events-to-a-third-party-server-using-Splunk/m-p/299706#M56703 <P>this is what i have in the outputs</P> <P>[tcpout]<BR /> defaultGroup = indexer-group </P> <P>[tcpout:indexer-group]<BR /> server = SPLUNKINDEXERSERVER:9997,SPLUNKINDEXERSERVER:9997,SPLUNKINDEXERSERVER:9997</P> <P>[tcpout:thirdpartytest-system]<BR /> server = THIRDPARYSERVER:5114<BR /> sendCookedData = false</P> <P>this is what the inputs shows:</P> <P>[WinEventLog://Security]<BR /> disabled = 0<BR /> index = wineventlog<BR /> _TCP_ROUTING = indexer-group,thirdpartytest-system</P> Tue, 29 Sep 2020 22:45:02 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-send-Windows-events-to-a-third-party-server-using-Splunk/m-p/299706#M56703 vonsolo29 2020-09-29T22:45:02Z