All Apps and Add-ons

Help with darktrace extraction with darktrace connector

Loves-to-Learn

Hello,

I have a problem with daktrace collector.

Monitor logs Darktrace

Logs Darktrace

[monitor:///srv/syslogdata/darktrace/]
disabled = false
recursive = true
index = darktrace
sourcetype = darktrace:syslog
whitelist = \.log$
host_segment = 4
The data arrives in Splunk However the field of extraction does not work.
the conf props.conf  in .../Darktrace/defaults/ in syslog is:
[darktrace]
pulldown_type = true
KV_MODE = json
category = Structured
description = Darktrace JSON syslog format.
SEDCMD-remove_header = s/^[^\{]+//

I have an architecture with utility server, search head, cluster indexers, syslog+UF (darktrace).
I need some help, please.
Thank you in advance.

0 Karma

Contributor

Hello,

How are you sending Darktrace logs to Splunk? When I deployed the connector I have used a TCP port to perform the input. The props.conf in default folder is just like yours. But in the local folder there are some other configs:

local/props.conf:

DATETIME_CONFIG = CURRENT
LINE_BREAKER = ([\r\n]+)
NO_BINARY_CHECK = true
disabled = false

My inputs.conf:

[tcp://5515]
connection_host = dns
index = darktrace
sourcetype = darktrace
0 Karma