Logs Darktrace

dfall · ‎09-25-2019

Hello,

I have a problem with daktrace collector.

Monitor logs Darktrace

Logs Darktrace

[monitor:///srv/syslogdata/darktrace/]
disabled = false
recursive = true
index = darktrace
sourcetype = darktrace:syslog
whitelist = \.log$
host_segment = 4
The data arrives in Splunk However the field of extraction does not work.
the conf props.conf  in .../Darktrace/defaults/ in syslog is:
[darktrace]
pulldown_type = true
KV_MODE = json
category = Structured
description = Darktrace JSON syslog format.
SEDCMD-remove_header = s/^[^\{]+//

I have an architecture with utility server, search head, cluster indexers, syslog+UF (darktrace).
I need some help, please.
Thank you in advance.

lznger88_2 · ‎02-07-2021

Hi All,

Was the issue resolved. I ask as I currently have extractions issues but not having any luck with resolving it.

alonsocaio · ‎09-25-2019

Hello,

How are you sending Darktrace logs to Splunk? When I deployed the connector I have used a TCP port to perform the input. The props.conf in default folder is just like yours. But in the local folder there are some other configs:

local/props.conf:

DATETIME_CONFIG = CURRENT
LINE_BREAKER = ([\r\n]+)
NO_BINARY_CHECK = true
disabled = false

My inputs.conf:

[tcp://5515]
connection_host = dns
index = darktrace
sourcetype = darktrace

Help with darktrace extraction with darktrace connector

Logs Darktrace

Index This | A sphere has three, a circle has two, and a point has zero. What is it?

Build Scalable Security While Moving to Cloud - Guide From Clayton Homes

Mission Control | Explore the latest release of Splunk Mission Control (2.3)