topic Re: Using Splunk Forwarder to Forward to ArcSight in Getting Data In

Using Splunk Forwarder to Forward to ArcSight

splunkwelhammeu — Mon, 18 Jul 2011 14:35:41 GMT

I've read
http://www.splunk.com/base/Documentation/latest/Deploy/Forwarddatatothird-partysystemsd
And this looks possible, although with limitations.
I'm particularly thinking of forwarding to an existing ArcSight Logger instance.

Has any one tried this, and what were their experiences?

Also how would licensing and support work in this model.

Re: Using Splunk Forwarder to Forward to ArcSight

jbsplunk — Mon, 18 Jul 2011 21:14:05 GMT

We have people doing this, and as long as the data is sent out in a syslog format, things should work without an issue. There shouldn't really be any limitations, we should be able to send out anything we've indexed with the rawdata contained within the event. What kind of limitations were you concerned about?

I haven't done this myself, so I can't speak to direct experiences, but I have spoken with people who have done this.

Licensing counts data which has been indexed by Splunk. What happens when that data is sent to a third party isn't going to affect the license as the data was already written to an index within Splunk. You don't need any additional licensing to implement this functionality. Support won't be affected in any way, but it ends where the data leaves the Indexer.

Re: Using Splunk Forwarder to Forward to ArcSight

splunkwelhammeu — Tue, 19 Jul 2011 08:11:26 GMT

Thank you for the prompt answer,

From what you have said are we only able to forward log data from an indexer and not directly from a forwarder (without an indexer)?

If we can send data from a Splunk forwarder directly to ArcSight how is licensing / support impacted.

Re: Using Splunk Forwarder to Forward to ArcSight

jbsplunk — Tue, 19 Jul 2011 15:22:50 GMT

Well, you could do it from a heavy forwarder, because data is parsed there, but only after it has been indexed. That means you'd need to have an index configured and would be using licensing volume. There isn't a way to do this without having the data indexed. Again, nothing here that affects support, but your licensing will be impacted.

Re: Using Splunk Forwarder to Forward to ArcSight

ramsanka — Wed, 17 Jun 2015 08:57:13 GMT

I am trying to forward the data (simple logs) from a universal forwarder to a Archsight logger. For achieving this I am passing the IP address of the Archsight logger and the port number. I am passing the default TCP server credentials that are there for the Archsight logger. Still I do not see the logs getting established. is there any other configuration that needs to be done on the outputs.conf file. or logs that i can use to debug the issue further.

Is there any config we need to establish in the archsight logger to ensure that the data comes from the splunkforwarder.

Re: Using Splunk Forwarder to Forward to ArcSight

tjohnson2 — Mon, 22 Jun 2015 19:25:48 GMT

Have you made any progress with this? I have this requirement as well, haven't started the setup yet but was interested in finding out if you found a solution.

My plan was to follow the instructions above and send the raw data from the heavy forwarder before the data is indexed.

Re: Using Splunk Forwarder to Forward to ArcSight

ramsanka — Tue, 23 Jun 2015 05:28:34 GMT

Yes it works. Simply make changes to the output.conf pointing to the ArchSight Logger and ensure the data is not cooked. I could see the raw data being recieved in the Archsight Logger.

Re: Using Splunk Forwarder to Forward to ArcSight

tjohnson2 — Tue, 23 Jun 2015 13:03:16 GMT

Awesome, thank you!

Re: Using Splunk Forwarder to Forward to ArcSight

tjohnson2 — Tue, 23 Jun 2015 13:31:35 GMT

I understand using the Heavy Forwarder to send data to ArcSight, but can you also modify the Outputs.conf file on the Universal Forwarder as well to forward raw data to ArcSight before Indexing?

Re: Using Splunk Forwarder to Forward to ArcSight

bgamblin — Fri, 07 Aug 2015 13:37:43 GMT

If you only want to forward log files from a specific directory on the universal forwarder to arcsight, don't you also need a inputs.conf somewhere? I'm already sending *.debug in rsyslog.conf, but now they want some log files watched as well.

Re: Using Splunk Forwarder to Forward to ArcSight

MEsquandolas — Tue, 29 Sep 2020 06:57:23 GMT

I got it working. Splunk is now sending all Syslog events to my third party SIEM Receiver.

I am using Splunk free standalone on Win2K8 R2

in the /etc/system/local folder, edit the following .conf files (if they do not already exist, simply create them)

props.conf
[source::udp:514]
TRANSFORMS-fwd2syslogout = syslogout

transforms.conf
[syslogout]
REGEX = .
DEST_KEY = _SYSLOG_ROUTING
FORMAT = udpserver

outputs.conf
[syslog:udpserver]
server = 1.1.1.1 (server where you want to send syslog)

Good luck all.
,I have figured out how to get Splunk to forward out syslog. (in my case to McAfee SIEM Event Receiver)

I am using a free Splunk stand alone implementation on a Windows 2008 R2 System in my lab.

My .conf files have been placed in \Splunk\etc\system\local - if they are not there already, make them

outputs.conf
[syslog:udpserver]
server = 10.10.10.10 (IP of system you want to forward logs to)
transforms.conf
[syslogout]
REGEX = .
DEST_KEY = _SYSLOG_ROUTING
FORMAT = udpserver
props.conf
[source::udp:514]
TRANSFORMS-fwd2syslogout = syslogout

Hope this helps.

Re: Using Splunk Forwarder to Forward to ArcSight

cmorenobuitrago — Wed, 20 Jan 2021 17:14:52 GMT

Late but valid for future queries 🙂

It is possible to forward raw events from the UF by adding the following info to the outputs.conf:

sendCookedData = false