topic Re: Splunk HF send only auditd, syslog, linux_secure to 3rd party syslog in Getting Data In

Splunk HF send only auditd, syslog, linux_secure to 3rd party syslog

ZimmermanC1 — Sat, 25 Jan 2020 20:46:15 GMT

I am having trouble wrapping my head around how to configure a HF to forward the sourcetypes of syslog and auditd to a 3rd party syslog host as well as to an indexer, without sending other sourcetypes as well.

I am trying to use a combination of these to docs to help but I have not been successful yet.
Route and filter data
Forward data to third-party systems

My configs look like this right now.

props.conf

[syslog]
TRANSFORMS-routing = routeAll, send_to_syslog

[auditd]
TRANSFORMS-routing = routeAll, send_to_syslog

[cpu]
TRANSFORMS-routing = routeAll

[ps]
TRANSFORMS-routing = routeAll

transforms.conf

[routeAll]
REGEX = (.)
DEST_KEY = _TCP_ROUTING
FORMAT = default-autolb-group

[send_to_syslog]
REGEX = (.)
DEST_KEY = _SYSLOG_ROUTING
FORMAT = syslogGroup

outputs.conf

[tcpout]
defaultGroup = default-autolb-group

[tcpout:default-autolb-group]
server = Y.Y.Y.Y:9997

[tcpout-server://Y.Y.Y.Y:9997]

[indexAndForward]
index = false

[syslog]
defaultGroup=syslogGroup

[syslog:syslogGroup]
server = X.X.X.X:514
sendCookedData = false
type = tcp

Re: Splunk HF send only auditd, syslog, linux_secure to 3rd party syslog

gcusello — Tue, 28 Jan 2020 10:03:00 GMT

Hi @ZimmermanC1,
what's the wrong behaviour you have?
Have you also other Heavy Forwarders that sends these logs to this HF?

Ciao.
Giuseppe

Re: Splunk HF send only auditd, syslog, linux_secure to 3rd party syslog

ZimmermanC1 — Wed, 29 Jan 2020 00:01:24 GMT

No, there is only 1 HF collecting from dozens of UF. The HF is being used as a network segmentation conduit.

Re: Splunk HF send only auditd, syslog, linux_secure to 3rd party syslog

gcusello — Wed, 29 Jan 2020 07:23:00 GMT

Hi @ZimmermanC1,
OK what's the wrong behaviour you have?

Ciao.
Giuseppe

Re: Splunk HF send only auditd, syslog, linux_secure to 3rd party syslog

abhijeet01 — Wed, 29 Jan 2020 07:34:15 GMT

Hi ZimmermanC1 ,

PFB link for forwarding syslog log data to indexer or third part syslog host by HF.

https://splunkonbigdata.com/2019/07/09/syslog-integration-with-splunk/

Let me know.

Re: Splunk HF send only auditd, syslog, linux_secure to 3rd party syslog

ZimmermanC1 — Wed, 30 Sep 2020 03:56:41 GMT

My issue is that i need a configuration that will only forward events to my 3rd party syslog server that come from monitoring of:
/var/log/messages
/var/log/secure
/var/log/audit/audit.log
Even if I have other scripts running via the Splunk_TA_nix app on each UF that is feeding the HF.

Right now I can only get the HF to send all events to both the Splunk Indexers and the 3rd party syslog server.
As an example, I have ps.sh enabled to run every 10 minutes via Splunk_TA_nix on each machine that has a UF installed on it. I want the PS events to go to the indexers but not into the 3rd party syslog server.