https://community.splunk.com/t5/Installation/Forwarding-splunk-d-logs-to-third-party-siem-McAfee-ESM/m-p/104550#M9547 <P>I configured the outputs.conf in my etc/local dir to forward AD logs from an indexer to a 3rd part SIEM . restarted, and still no joy. any ideas.</P> Tue, 01 Dec 2015 15:02:00 GMT mariogiovannitt 2015-12-01T15:02:00Z https://community.splunk.com/t5/Installation/Forwarding-splunk-d-logs-to-third-party-siem-McAfee-ESM/m-p/104546#M9543 <P>I am told it is very simple to take already indexed events from splunk and send them over to a 3rd party SIEM appliance like McAfee ESM. </P> <P>Has anyone done this successfully? How hard was it to implement? Can you limit / forward only selected events? Can you limit forwarding to only select hosts or log types? </P> <P>I have seen a few other similar questions and it seems INCREDIBLY simple, to the point of adding only a few lines of code to a few files. Is it really that easy?</P> Tue, 23 Jul 2013 22:36:11 GMT https://community.splunk.com/t5/Installation/Forwarding-splunk-d-logs-to-third-party-siem-McAfee-ESM/m-p/104546#M9543 MattQ 2013-07-23T22:36:11Z https://community.splunk.com/t5/Installation/Forwarding-splunk-d-logs-to-third-party-siem-McAfee-ESM/m-p/104547#M9544 <P>Use the REST or other API or the CLI to perform a search (scheduled or even real-time) and have the results sent to whatever API or file the other tool uses.</P> <P>It's relatively simple, really, and you can do this with any search you want so you can send selective results to your other tool.</P> Thu, 25 Jul 2013 04:21:37 GMT https://community.splunk.com/t5/Installation/Forwarding-splunk-d-logs-to-third-party-siem-McAfee-ESM/m-p/104547#M9544 jtrucks 2013-07-25T04:21:37Z https://community.splunk.com/t5/Installation/Forwarding-splunk-d-logs-to-third-party-siem-McAfee-ESM/m-p/104548#M9545 <P>You may also want to look at the Real-Time output app:</P> <P><A href="http://splunk-base.splunk.com/apps/48082/splunk-real-time-output">http://splunk-base.splunk.com/apps/48082/splunk-real-time-output</A></P> Thu, 25 Jul 2013 12:54:15 GMT https://community.splunk.com/t5/Installation/Forwarding-splunk-d-logs-to-third-party-siem-McAfee-ESM/m-p/104548#M9545 dshpritz 2013-07-25T12:54:15Z https://community.splunk.com/t5/Installation/Forwarding-splunk-d-logs-to-third-party-siem-McAfee-ESM/m-p/104549#M9546 <P>You could also use a heavy forwarder and forward the data to McAfee via syslog at the same time as it sends it to your Splunk indexer. Of course this is before the data is indexed. This will also give you the flexibility to send a subset of the data. See the docs below:</P> <P><A href="http://docs.splunk.com/Documentation/Splunk/5.0.3/Deploy/Forwarddatatothird-partysystemsd">http://docs.splunk.com/Documentation/Splunk/5.0.3/Deploy/Forwarddatatothird-partysystemsd</A></P> Thu, 25 Jul 2013 13:12:23 GMT https://community.splunk.com/t5/Installation/Forwarding-splunk-d-logs-to-third-party-siem-McAfee-ESM/m-p/104549#M9546 sdaniels 2013-07-25T13:12:23Z https://community.splunk.com/t5/Installation/Forwarding-splunk-d-logs-to-third-party-siem-McAfee-ESM/m-p/104550#M9547 <P>I configured the outputs.conf in my etc/local dir to forward AD logs from an indexer to a 3rd part SIEM . restarted, and still no joy. any ideas.</P> Tue, 01 Dec 2015 15:02:00 GMT https://community.splunk.com/t5/Installation/Forwarding-splunk-d-logs-to-third-party-siem-McAfee-ESM/m-p/104550#M9547 mariogiovannitt 2015-12-01T15:02:00Z https://community.splunk.com/t5/Installation/Forwarding-splunk-d-logs-to-third-party-siem-McAfee-ESM/m-p/104551#M9548 <P>please refer any link or document.</P> Wed, 17 May 2017 12:15:53 GMT https://community.splunk.com/t5/Installation/Forwarding-splunk-d-logs-to-third-party-siem-McAfee-ESM/m-p/104551#M9548 kupawar 2017-05-17T12:15:53Z