topic Re: How can I forward data received from file path monitoring to third party system? in Getting Data In

How can I forward data received from file path monitoring to third party system?

swapsplunk236 — Wed, 20 Dec 2017 13:55:32 GMT

Hi, We have a UF which forwards data to HF and HF passes it to indexers. UF forwards OS logs as well as logs from the directory that we are monitoring. We have configured HF to forward data received to indexers as well as to third party system as explained here: http://docs.splunk.com/Documentation/SplunkCloud/6.6.3/Forwarding/Forwarddatatothird-partysystemsd.

But as checked only OS logs are getting forwarded and not the logs from the directory. Can anybody suggest the additional checks we should perform to ensure logs from the directory too are getting forwarded to third party system?

Thanks.

Re: How can I forward data received from file path monitoring to third party system?

harsmarvania57 — Wed, 20 Dec 2017 13:58:47 GMT

Can you please share your configuration which you configured on HF (Please mask any sensitive data) ?

Re: How can I forward data received from file path monitoring to third party system?

naidusadanala — Wed, 20 Dec 2017 13:59:32 GMT

Please follow this

-->Make sure you have no transforms configured for that data for routing purpose
Forward all data
This example shows how to send all the data from a forwarder to a third-party system. Since you are sending all the data, you only need to edit outputs.conf:

[tcpout]

[tcpout:fastlane]
server = 10.1.1.35:6996
sendCookedData = false

Re: How can I forward data received from file path monitoring to third party system?

swapsplunk236 — Wed, 20 Dec 2017 14:01:37 GMT

Hi, Please see below for current output configuration in place on HF.

[tcpout]
defaultGroup = default-INDEXERS
autoLB = true
autoACK = true
indexAndForward = false
forwardedindex.filter.disable = true

Configuration settings to forward logs from Heavy forwarder to Indexer1 and Indexer2

[tcpout:default-INDEXERS]
autoLBFrequency = 40
server = indexer1:9997,indexer2:9997

Configuration settings to forward logs from Heavy forwarder to Third party.

[syslog]
type = udp
sendCookedData = false
DefaultGroup = SIEM-TP

[syslog:SIEM-TP]
server=X.X.X.X:port
disabled=false

Re: How can I forward data received from file path monitoring to third party system?

harsmarvania57 — Wed, 20 Dec 2017 14:05:19 GMT

In syslog stanza it should be defaultGroup not DefaultGroup, if this is correctly configured then please share your props.conf and transforms.conf

Re: How can I forward data received from file path monitoring to third party system?

swapsplunk236 — Wed, 20 Dec 2017 14:15:39 GMT

Hi, Thank you for the suggestion. I will try this too.

Re: How can I forward data received from file path monitoring to third party system?

swapsplunk236 — Tue, 29 Sep 2020 17:19:59 GMT

Thanks. Here is my prop.conf

[host::*]
TRANSFORMS = SIEM-TP-T

and transform.conf

[SIEM-TP-T]
REGEX= .
DEST_KEY =_SYSLOG_ROUTING
FORMAT = SIEM-TP

Re: How can I forward data received from file path monitoring to third party system?

harsmarvania57 — Wed, 20 Dec 2017 14:22:10 GMT

Please change your props.conf as below and restart splunk on HF.

[host::*]
TRANSFORMS-all = SIEM-TP-T

Re: How can I forward data received from file path monitoring to third party system?

DavidHourani — Thu, 21 Dec 2017 15:42:43 GMT

Hi swapsplunk236,

If your OS logs are being received that means your chain UF -> HF ->IDX+3rdParty is working properly. It could be that you misconfigured the data input to read from your folders. Can you please post your UF inputs / outputs config ?

Regards,
David

Re: How can I forward data received from file path monitoring to third party system?

swapsplunk236 — Thu, 28 Dec 2017 11:17:35 GMT

This worked for me! Thank you very much.
[host::*]
TRANSFORMS-all = SIEM-TP-T

Re: How can I forward data received from file path monitoring to third party system?

harsmarvania57 — Thu, 28 Dec 2017 13:33:50 GMT

I have converted my comment to answer, please accept and upvote it.