All Apps and Add-ons

Splunk App for CEF : Adding UDP support

Lucas_K
Motivator

Has anyone made the cef app output udp instead of tcp?

TCP is the only thin that is supported but there is nothing to stop someone from creating a tcp out and then editing the file and making it udp.

Just wondering if anyone has tried it.

Seeing that CEF devices mostly receive in UDP it is quite surprising that this isn't even supported, as the APP is quite old and doesn't look to be in active development anymore our only choice are home brewed fixes.

Tags (2)
0 Karma
1 Solution

Lucas_K
Motivator

i've done it.

Note. The following will stop you being able to edit individual rules via the gui for any thing that has been updated to a UDP output!
If you do need to update a rule that has been converted to udp you will need to redo ALL the steps below each time! Its ugly ... but it works. The method below has been tested on 6.3.1 only.

How to create a UDP output for the Splunk For CEF app (v1.0.0).

Create the cef rule by the gui as normal. Set the destination as you would as if UDP was supported. ie. 192.168.0.15:514 etc.
Call the output group something udp specific. ie. udpoutput1

There are now 3 files to edit.

  1. savedsearches.conf
  2. inputs.conf
  3. outputs.conf

savedsearches.conf

Note: i've done a couple of these now and this step isn't already required!

This is what creates the stash file with the translated cef results inside.
We need to change the routing action.

Find the following line for the rule you want UDP to work with.
action.cefout._ROUTING = tcpoutput

Replace with
action.cefout._ROUTING = udpoutput1

inputs.conf

This is what ingests the stash file created from the savedsearch

Find the batch input stanza that matches your output group you want to convert to udp.
ie. [batch://$SPLUNK_HOME/var/spool/splunk/...stash_cef_udpoutput1]

Find
_TCP_ROUTING = udpoutput1

Replace with
_SYSLOG_ROUTING = udpoutput1

outputs.conf
This controls where the data is sent.

Find the tcp udpoutput1 stanza
ie.
[tcpout:udpoutput1]
sendCookedData = 0
server = 192.168.0.15:514

Replace with
[syslog:udpoutput1]
server = 192.168.0.15:514
type = udp
sendCookedData = 0

Save and restart splunk.

Rejoice as glorious UDP packets stream into your destination security devices!

View solution in original post

Lucas_K
Motivator

i've done it.

Note. The following will stop you being able to edit individual rules via the gui for any thing that has been updated to a UDP output!
If you do need to update a rule that has been converted to udp you will need to redo ALL the steps below each time! Its ugly ... but it works. The method below has been tested on 6.3.1 only.

How to create a UDP output for the Splunk For CEF app (v1.0.0).

Create the cef rule by the gui as normal. Set the destination as you would as if UDP was supported. ie. 192.168.0.15:514 etc.
Call the output group something udp specific. ie. udpoutput1

There are now 3 files to edit.

  1. savedsearches.conf
  2. inputs.conf
  3. outputs.conf

savedsearches.conf

Note: i've done a couple of these now and this step isn't already required!

This is what creates the stash file with the translated cef results inside.
We need to change the routing action.

Find the following line for the rule you want UDP to work with.
action.cefout._ROUTING = tcpoutput

Replace with
action.cefout._ROUTING = udpoutput1

inputs.conf

This is what ingests the stash file created from the savedsearch

Find the batch input stanza that matches your output group you want to convert to udp.
ie. [batch://$SPLUNK_HOME/var/spool/splunk/...stash_cef_udpoutput1]

Find
_TCP_ROUTING = udpoutput1

Replace with
_SYSLOG_ROUTING = udpoutput1

outputs.conf
This controls where the data is sent.

Find the tcp udpoutput1 stanza
ie.
[tcpout:udpoutput1]
sendCookedData = 0
server = 192.168.0.15:514

Replace with
[syslog:udpoutput1]
server = 192.168.0.15:514
type = udp
sendCookedData = 0

Save and restart splunk.

Rejoice as glorious UDP packets stream into your destination security devices!

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...