All Apps and Add-ons

RSA DLP and Splunk

SYY
New Member

Has anyone tried to feed RSA DLP event logs into Splunk? Someone told me data format can be CEF syslog, but from RSA Enterprise Manager, I can only see raw syslogs.

Can anyone provide an example of what kind of data will I see in Splunk.

Thanks in Advance.

Tags (2)
0 Karma

dwaddle
SplunkTrust
SplunkTrust

If don't see a published TA app for it, chances are nobody else (who can talk about it publically) has been down this road. Make a test index, set up a data feed, see what you get 🙂

0 Karma

jpass
Contributor

"Can anyone provide an example of what kind of data will I see in Splunk"

Splunk won't change the way your logs look if you were to simply view them in Nano or a text editor or something.

If your logs look like this:

2013-10-15 23:44:05 theabyss gonnagetusucka 00012
2013-10-15 23:44:05 bigtroublelilchina mistermom 00015
2013-10-15 23:44:05 inspector jaba 00013
2013-10-15 23:44:05 yogi binks 00019
2013-10-15 23:44:05 boobo daluke 00011

They will end up in splunk looking the same. Although, they will be separated into individual events.

I'm not sure what type of logs you're referring to but I used movie titles and other things that came to mind because it doesn't matter what your logs look like. They go into Splunk and, unless you create some transforms, they won't be changed.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...