Join the Conversation
- Find Answers
- :
- Apps & Add-ons
- :
- All Apps and Add-ons
- :
- All Apps and Add-ons
- :
- Splunk App for CEF : Adding UDP support
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Has anyone made the cef app output udp instead of tcp?
TCP is the only thin that is supported but there is nothing to stop someone from creating a tcp out and then editing the file and making it udp.
Just wondering if anyone has tried it.
Seeing that CEF devices mostly receive in UDP it is quite surprising that this isn't even supported, as the APP is quite old and doesn't look to be in active development anymore our only choice are home brewed fixes.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
i've done it.
Note. The following will stop you being able to edit individual rules via the gui for any thing that has been updated to a UDP output!
If you do need to update a rule that has been converted to udp you will need to redo ALL the steps below each time! Its ugly ... but it works. The method below has been tested on 6.3.1 only.
How to create a UDP output for the Splunk For CEF app (v1.0.0).
Create the cef rule by the gui as normal. Set the destination as you would as if UDP was supported. ie. 192.168.0.15:514 etc.
Call the output group something udp specific. ie. udpoutput1
There are now 3 files to edit.
- savedsearches.conf
- inputs.conf
- outputs.conf
savedsearches.conf
Note: i've done a couple of these now and this step isn't already required!
This is what creates the stash file with the translated cef results inside.
We need to change the routing action.
Find the following line for the rule you want UDP to work with.
action.cefout._ROUTING = tcpoutput
Replace with
action.cefout._ROUTING = udpoutput1
inputs.conf
This is what ingests the stash file created from the savedsearch
Find the batch input stanza that matches your output group you want to convert to udp.
ie. [batch://$SPLUNK_HOME/var/spool/splunk/...stash_cef_udpoutput1]
Find
_TCP_ROUTING = udpoutput1
Replace with
_SYSLOG_ROUTING = udpoutput1
outputs.conf
This controls where the data is sent.
Find the tcp udpoutput1 stanza
ie.
[tcpout:udpoutput1]
sendCookedData = 0
server = 192.168.0.15:514
Replace with
[syslog:udpoutput1]
server = 192.168.0.15:514
type = udp
sendCookedData = 0
Save and restart splunk.
Rejoice as glorious UDP packets stream into your destination security devices!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
i've done it.
Note. The following will stop you being able to edit individual rules via the gui for any thing that has been updated to a UDP output!
If you do need to update a rule that has been converted to udp you will need to redo ALL the steps below each time! Its ugly ... but it works. The method below has been tested on 6.3.1 only.
How to create a UDP output for the Splunk For CEF app (v1.0.0).
Create the cef rule by the gui as normal. Set the destination as you would as if UDP was supported. ie. 192.168.0.15:514 etc.
Call the output group something udp specific. ie. udpoutput1
There are now 3 files to edit.
- savedsearches.conf
- inputs.conf
- outputs.conf
savedsearches.conf
Note: i've done a couple of these now and this step isn't already required!
This is what creates the stash file with the translated cef results inside.
We need to change the routing action.
Find the following line for the rule you want UDP to work with.
action.cefout._ROUTING = tcpoutput
Replace with
action.cefout._ROUTING = udpoutput1
inputs.conf
This is what ingests the stash file created from the savedsearch
Find the batch input stanza that matches your output group you want to convert to udp.
ie. [batch://$SPLUNK_HOME/var/spool/splunk/...stash_cef_udpoutput1]
Find
_TCP_ROUTING = udpoutput1
Replace with
_SYSLOG_ROUTING = udpoutput1
outputs.conf
This controls where the data is sent.
Find the tcp udpoutput1 stanza
ie.
[tcpout:udpoutput1]
sendCookedData = 0
server = 192.168.0.15:514
Replace with
[syslog:udpoutput1]
server = 192.168.0.15:514
type = udp
sendCookedData = 0
Save and restart splunk.
Rejoice as glorious UDP packets stream into your destination security devices!
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Announcing Modern Navigation: A New Era of Splunk User Experience
Modernize your Splunk Apps – Introducing Python 3.13 in Splunk
Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...
