All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

RSA DLP and Splunk

SYY
New Member
‎10-14-2013 02:45 PM

Has anyone tried to feed RSA DLP event logs into Splunk? Someone told me data format can be CEF syslog, but from RSA Enterprise Manager, I can only see raw syslogs.

Can anyone provide an example of what kind of data will I see in Splunk.

Thanks in Advance.

Tags (2)
0 Karma
Reply

dwaddle
SplunkTrust
SplunkTrust
‎10-15-2013 06:41 AM

If don't see a published TA app for it, chances are nobody else (who can talk about it publically) has been down this road. Make a test index, set up a data feed, see what you get 🙂

0 Karma
Reply

jpass
Contributor
‎10-14-2013 07:16 PM

"Can anyone provide an example of what kind of data will I see in Splunk"

Splunk won't change the way your logs look if you were to simply view them in Nano or a text editor or something.

If your logs look like this:

2013-10-15 23:44:05 theabyss gonnagetusucka 00012
2013-10-15 23:44:05 bigtroublelilchina mistermom 00015
2013-10-15 23:44:05 inspector jaba 00013
2013-10-15 23:44:05 yogi binks 00019
2013-10-15 23:44:05 boobo daluke 00011

They will end up in splunk looking the same. Although, they will be separated into individual events.

I'm not sure what type of logs you're referring to but I used movie titles and other things that came to mind because it doesn't matter what your logs look like. They go into Splunk and, unless you create some transforms, they won't be changed.

0 Karma
Reply
Register for .conf21 Now! Go Vegas or Go Virtual!

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.

Get Updates on the Splunk Community!