All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

RSA DLP and Splunk

SYY
New Member
‎10-14-2013 02:45 PM

Has anyone tried to feed RSA DLP event logs into Splunk? Someone told me data format can be CEF syslog, but from RSA Enterprise Manager, I can only see raw syslogs.

Can anyone provide an example of what kind of data will I see in Splunk.

Thanks in Advance.

Tags (2)
0 Karma
Reply

dwaddle
SplunkTrust
SplunkTrust
‎10-15-2013 06:41 AM

If don't see a published TA app for it, chances are nobody else (who can talk about it publically) has been down this road. Make a test index, set up a data feed, see what you get 🙂

0 Karma
Reply

jpass
Contributor
‎10-14-2013 07:16 PM

"Can anyone provide an example of what kind of data will I see in Splunk"

Splunk won't change the way your logs look if you were to simply view them in Nano or a text editor or something.

If your logs look like this:

2013-10-15 23:44:05 theabyss gonnagetusucka 00012
2013-10-15 23:44:05 bigtroublelilchina mistermom 00015
2013-10-15 23:44:05 inspector jaba 00013
2013-10-15 23:44:05 yogi binks 00019
2013-10-15 23:44:05 boobo daluke 00011

They will end up in splunk looking the same. Although, they will be separated into individual events.

I'm not sure what type of logs you're referring to but I used movie titles and other things that came to mind because it doesn't matter what your logs look like. They go into Splunk and, unless you create some transforms, they won't be changed.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...