topic Re: Forward windows eventlog to 3rd party system in Getting Data In

Forward windows eventlog to 3rd party system

Mtakahashi — Tue, 29 Sep 2020 13:19:48 GMT

I need to forward windows eventlog of a particular server to 3rd party system (Arcsight) as raw data.

I created the outputs.conf at local folder and restarted the splunk service.
Then, it looks Arcsight only received sort of splunk log and meta data (windows eventlog) was missed out.

Log forwarding to Splunk server has been working properly.
Can you please let me know how can I make this happen..thanks in advance.

Here are some data Arcsight received
03-22-2017 19:37:53.078 +0900 INFO HttpPubSubConnection - Running phone uri=/services/broker/phonehome/connection_192.168.198.100_(port)_(windows host)_A2ED90B0-3C6A-4AB7-8CC0-BAFCB3C9F8D9
03-22-2017 19:38:03.613 +0900 INFO Metrics - group=deploy-client, name=app_downloads, volumeCompletedKB=0.0
03-22-2017 19:38:03.613 +0900 INFO Metrics - group=deploy-connections, nCurrent=0
03-22-2017 19:38:03.613 +0900 INFO Metrics - group=realtime_search_data, system total, drop_count=0
03-22-2017 19:37:38.844 +0900 INFO StatusMgr - destHost=(Splunk Indexer host), destIp=192.168.63.200, destPort=9997, eventType=connect_try, publisher=tcpout, sourcePort=8089, statusee=TcpOutputProcessor
03-22-2017 19:37:39.266 +0900 INFO TcpOutputProc - Connected to idx=192.168.63.200:9997

Re: Forward windows eventlog to 3rd party system

gfreitas — Thu, 23 Mar 2017 12:16:17 GMT

This is internal messages to _internal index of Splunk. Have you configured to just forward the WinEventLog:* to Arcsight?
Here you can find information on how to choose the correct data: https://docs.splunk.com/Documentation/Splunk/6.5.2/Forwarding/Forwarddatatothird-partysystemsd

Re: Forward windows eventlog to 3rd party system

Mtakahashi — Fri, 24 Mar 2017 00:42:49 GMT

Thanks for your comment.
Yes, I had looked that information and just modified the outputs.conf
Do I need to modify props.conf and transforms.conf ?
At this moment, I'm fine to forward all the logs on this win server.

Re: Forward windows eventlog to 3rd party system

gfreitas — Fri, 24 Mar 2017 10:39:22 GMT

Hi, you don`t really need to change the props.conf and transforms.conf unless you want to send just the WinEventLog:* data

Re: Forward windows eventlog to 3rd party system

koshyk — Fri, 24 Mar 2017 12:12:01 GMT

Two ways you can forward
1. TCPOUT
2. Syslog

1. TCPOUT , you can do via Universal Forwarder and is easier.
Just put the settings as below

[tcpout]

[tcpout:arcsight]
server = 192.168.38.100:12345
sendCookedData = false

Things to be careful while doing tcpout are
- Ensure your outputs queue won't be filled up if the ArcSight SErver is not available. This might impact your indexing
- Ensure the syslog-server is listening on 12345 and all firewall is enabled

2. Syslog . This requires Heavy Forwarder
For Syslog you need a transforms.conf as below

[fwd_syslog_to_arcsight]
REGEX = .
DEST_KEY=_SYSLOG_ROUTING
FORMAT=arcsight_out

and in outputs.conf

[arcsight_out]
server = 192.168.38.100:12345
priority=NO_PRI
syslogSourceType=helloMrArcSight

Advantages are
- You can send via UDP and don't care about 3rd party system availability
- Can stick to RFC standards as per syslog and no one can ask you to modify the data. My advice is NEVER touch on raw data and 3rd parties will demand more 🙂

Re: Forward windows eventlog to 3rd party system

Mtakahashi — Mon, 27 Mar 2017 00:40:55 GMT

Thanks, I understood I don't have to modify the props.conf and transforms.conf

Re: Forward windows eventlog to 3rd party system

Mtakahashi — Mon, 27 Mar 2017 00:45:35 GMT

Thanks for your comment.
This time, I'd like to use the universal forwarder and actually my outputs.conf was already modified and it didn't work.
Do you have any suspicious points?
I confirmed the syslog-server is listening on 12345.

Re: Forward windows eventlog to 3rd party system

Mtakahashi — Tue, 28 Mar 2017 01:02:01 GMT

I confirmed with Splunk support that my configuration seems no issue about using universal forwarder.
I guess root cause is not splunk side.