All Apps and Add-ons

Forwarding events from Splunk DB Connect and Splunk OPSEC LEA

nryagin
Explorer

Hi there,

I'm trying to set up forwarding from Splunk to 3rd party tool and I spent a lot of time searching for the answer on my question why Splunk doesn't forward events which are collected by using Splunk OPSEC LEA Connector or Splunk DB Connect. Other events like Windows Events which are collected by SUF are forwarded fine to 3rd party.

I've reread a lot of times Splunk Docs but I didn't found any issue on my side

My schema installation looks like:

Heavy Forwarder with installed Splunk OPSEC LEA and Splunk DB Connect >
Indexers with config files shown below >
3rd party tool

I've got the following configuration files:

props.conf
`[WinEventLog:Security]
TRANSFORMS-routing = dst_2024
[WinEventLog:System]
TRANSFORMS-routing = dst_2024
[WinEventLog:Application]
TRANSFORMS-routing = dst_2024

[opsec]
TRANSFORMS-opsec = dst_2025
[opsec:vpn]
TRANSFORMS-routing = dst_2025
[opsec:smartdefense]
TRANSFORMS-routing = dst_2025`

transforms.conf
[dst_2024]
REGEX = .
DEST_KEY = _TCP_ROUTING
FORMAT = dst-sensor-2024
[dst_2025]
REGEX = .
DEST_KEY = _TCP_ROUTING
FORMAT = dst-sensor-2025

outputs.conf
`[tcpout]
defaultGroup = nothing
indexAndForward = 1

Windows

[tcpout:dst-sensor-2024]
disabled = false
server = XX.XX.XX.XX:2024
sendCookedData = false
dropEventsOnQueueFull = 1

Checkpoint

[tcpout:dst-sensor-2025]
disabled = false
server = XX.XX.XX.XX:2025
sendCookedData = false
dropEventsOnQueueFull = 1`

Does someone have any idea what sort of mistake was made by me or it might be a bug?
I've tried to set up CheckPoint input on Indexer and I found that Splunk started forwarded data but I still don't understand what the problem.

0 Karma
1 Solution

nryagin
Explorer
0 Karma
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...