All Apps and Add-ons

Forwarding events from Splunk DB Connect and Splunk OPSEC LEA

nryagin
Explorer

Hi there,

I'm trying to set up forwarding from Splunk to 3rd party tool and I spent a lot of time searching for the answer on my question why Splunk doesn't forward events which are collected by using Splunk OPSEC LEA Connector or Splunk DB Connect. Other events like Windows Events which are collected by SUF are forwarded fine to 3rd party.

I've reread a lot of times Splunk Docs but I didn't found any issue on my side

My schema installation looks like:

Heavy Forwarder with installed Splunk OPSEC LEA and Splunk DB Connect >
Indexers with config files shown below >
3rd party tool

I've got the following configuration files:

props.conf
`[WinEventLog:Security]
TRANSFORMS-routing = dst_2024
[WinEventLog:System]
TRANSFORMS-routing = dst_2024
[WinEventLog:Application]
TRANSFORMS-routing = dst_2024

[opsec]
TRANSFORMS-opsec = dst_2025
[opsec:vpn]
TRANSFORMS-routing = dst_2025
[opsec:smartdefense]
TRANSFORMS-routing = dst_2025`

transforms.conf
[dst_2024]
REGEX = .
DEST_KEY = _TCP_ROUTING
FORMAT = dst-sensor-2024
[dst_2025]
REGEX = .
DEST_KEY = _TCP_ROUTING
FORMAT = dst-sensor-2025

outputs.conf
`[tcpout]
defaultGroup = nothing
indexAndForward = 1

Windows

[tcpout:dst-sensor-2024]
disabled = false
server = XX.XX.XX.XX:2024
sendCookedData = false
dropEventsOnQueueFull = 1

Checkpoint

[tcpout:dst-sensor-2025]
disabled = false
server = XX.XX.XX.XX:2025
sendCookedData = false
dropEventsOnQueueFull = 1`

Does someone have any idea what sort of mistake was made by me or it might be a bug?
I've tried to set up CheckPoint input on Indexer and I found that Splunk started forwarded data but I still don't understand what the problem.

0 Karma
1 Solution

nryagin
Explorer
0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) v3.54.0

The Splunk Threat Research Team (STRT) recently released Enterprise Security Content Update (ESCU) v3.54.0 and ...

Using Machine Learning for Hunting Security Threats

WATCH NOW Seeing the exponential hike in global cyber threat spectrum, organizations are now striving more for ...

New Learning Videos on Topics Most Requested by You! Plus This Month’s New Splunk ...

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...