All Apps and Add-ons

Splunk Connect for Syslog: How do I source?

millarma
Path Finder

I just installed docker and the Splunk Connect for Syslog app(?).  I configured the env_file to point to my http event collector and have configured the indices, and have received the test events.

How do I actually configure listening on a port?  the documentation here: https://splunk-connect-for-syslog.readthedocs.io/en/master/configuration/ says:

Other than device filter creation, SC4S is almost entirely controlled by environment variables. Here are the categories and variables needed to properly configure SC4S for your environment.

Where do I configure these environmental variables?  Perhaps /opt/sc4s/local/config, but like what file type, what schema?   I mean, I can read, the key/value pair isSC4S_LISTEN_DEFAULT_TLS_PORT=whatever.  but where do I put that?

I was trying to set up receiving of firewall logs from pfsense, the documentation for it says:

Review and update the splunk_metadata.csv file and set the index and sourcetype as required for the data source. So maybe this is this the answer, I should create a csv?  that doesn't sound right.

Probably if I knew Docker I would know the answer to all these questions.  but if anyone could educate me on how to use this, show me some example configurations and show me the filepaths they are located in, I would be deeply appreciative.

<edit>

Nevermind, I found it.  The answer is, most things are configured in /opt/sc4s/env_file.  indexes and sourcetypes are configured in /opt/sc4s/local/context/splunk_metadata.csv.

in the spirit of intellectual honesty, it was in the docs in a couple places, namely the Getting Started section in the os and container specific section, although not in ALL of them.  If I may make a request to the app developers.  I think adding the two paragraph below to the Quickstart Guide would have helped, i think it is an intuitive place to look for people that missed it the first time.


Dedicated (Unique) Listening Ports

For certain source technologies, categorization by message content is impossible due to the lack of a unique “fingerprint” in the data. In other cases, a unique listening port is required for certain devices due to network requirements in the enterprise. For collection of such sources, we provide a means of dedicating a unique listening port to a specific source.

Follow this step to configure unique ports for one or more sources:

  • Modify the /opt/sc4s/env_file file to include the port-specific environment variable(s). Refer to the “Sources” documentation to identify the specific environment variables that are mapped to each data source vendor/technology.

Modify index destinations for Splunk

Log paths are preconfigured to utilize a convention of index destinations that are suitable for most customers.

  • If changes need to be made to index destinations, navigate to the /opt/sc4s/local/context directory to start.
  • Edit splunk_metadata.csv to review or change the index configuration as required for the data sources utilized in your environment. The key (1st column) in this file uses the syntax vendor_product. Simply replace the index value (the 3rd column) in the desired row with the index appropriate for your Splunk installation. The “Sources” document details the specific vendor_product keys (rows) in this table that pertain to the individual data source filters that are included with SC4S.
  • Other Splunk metadata (e.g. source and sourcetype) can be overriden via this file as well. This is an advanced topic, and further information is covered in the “Log Path overrides” section of the Configuration document.
Labels (1)
Get Updates on the Splunk Community!

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...

Observability Highlights | January 2023 Newsletter

 January 2023New Product Releases Splunk Network Explorer for Infrastructure MonitoringSplunk unveils Network ...