With the SplunkRealTimeOutput app from SplunkBase this seems to work for syslog messages.
The issue I'm running into now is that while this app does produce CEF I don't believe it is correct for Windows logs.
To match the capability of the ArcSight windows unified connector you would need look up tables, categorization (possible with tags) and correct data mapping.
With the near 520 Windows audit messages there are so many fields that must be properly mapped.
For example, in Windows audit messages there are several fields that represent the user [user, User, CallerUserName, srcusr, UserName, PrimaryUserName]. Selecting the right field is difficult and this is just a one field example.
I recognize that ArcSight has put many years into properly mapping all the Windows audit data to fields.
I want to use Splunk for the back-end logging solution, but I don't think it's going to happen without a bunch of custom programming.
Does anyone have this working properly?
hi, this add-on has that job: https://apps.splunk.com/app/742/
We are familiar with the scope of the job... for multi-lingual situations with unsupported versions of windows, it will take some more work, but you're still better off starting from the add-on than starting from scratch.
Does this add-on allow us to convert Splunk windows output to the Arcsight CEF format? Or do you have to run it through this app first and then run it through the Splunk app for CEF before it's ready to be transferred to ArcSight?
How many stages does the data have to go through before it can be transferred to Arcsight in the proper CEF format?
Hi, there are a couple of possible paths:
- a Splunk forwarder on the windows system uses input capabilities provided by the forwarder and configurations provided by the windows Add-on to gather the events and send them to Splunk indexers. A search head uses configurations provided by the Windows addon and CEF app to output syslog to ArcSight. This is our preferred solution.
- a third party solution on the windows system converts events to syslog and sends them to an intermediate location via syslog. A Splunk forwarder picks up these events and uses configurations provided by the windows Add-on to gather the events and send them to Splunk indexers. A search head uses configurations provided by the Windows addon and CEF app to output syslog to ArcSight.
Are you attempting to get Windows events out of Splunk and into ArcSight or are you attempting to get Windows logs into Splunk from your Windows devices directly? Splunk does have a Windows
I would like to know the easiest, least stressful way to get the Windows events into ArcSight.
Does the Splunk App for CEF convert the data to the same CEF format as ArcSight CEF?
The problem with syslog messages is that - we can't simply process it with a bit of regex! It varies format, ordering and Microsoft is notoriously inconsistent anyway.
The logic required is massive, so you have to use a multi-phase process to do this. Since Splunk doesn't do this, we will always struggle to process the data that comes out of Splunk. Its going to be in a munged format (Mung (computer term) - Wikipedia, the free encyclopedia) and hence we cannot process it with any certainty.
You "could" try to decode all of the messages and then apply them to the maps and go from there. But having tried to do this myself in the past, I gave up. Its going to a real pain and limited real use anyway. The same goes for Splunk - you could do a FlexConnector for the syslog "CEF" data, but its going to be complex at best, almost impossible for multi-lingual situations!
Can you shed some light on these problems for us? Do you have some better suggestions for integrating data into ArcSight?
Thanks in advance