Re: Forward Logs to Third Party Syslog Server - No...

lubinak · ‎02-20-2019

I am collecting windows machines logs though Universal Forwarder to Splunk Heavy Forwarder.

UF STANZA - outputs.conf

[tcpout]
defaultGroup=windows_index

[tcpout:windows_index]
sendCookedData=false
server=192.168.1.172:9997

Heavy Forwarder STANZA - outputs.conf

[tcpout:win_log_forw]
disabled=false
sendCookedData=false
server-192.168.1.182:514

Then forward log from Splunk Heavy Forwarder to Splunk Indexer and A third party syslog server.

Challenge: Third party Syslog server is receiving data as parsed not the raw data

Goal : need to receive the data on a raw format in the third party Syslog server.

THIRD PARTY SYSLOG RECEVING LIKE BELOW( NOT RAW)

2019-02-21T05:24:16.257287+00:00 192.168.1.172 /2019 09:24:14 PM#015
2019-02-21T05:24:16.257287+00:00 192.168.1.172 LogName=Security#015
2019-02-21T05:24:16.257287+00:00 192.168.1.172 SourceName=Microsoft Windows security auditing.#015
2019-02-21T05:24:16.257287+00:00 192.168.1.172 EventCode=4648#015
2019-02-21T05:24:16.257287+00:00 192.168.1.172 EventType=0#015
2019-02-21T05:24:16.257287+00:00 192.168.1.172 Type=Information#015
2019-02-21T05:24:16.257287+00:00 192.168.1.172 ComputerName=WIN-AEG45MM7137#015
2019-02-21T05:24:16.257287+00:00 192.168.1.172 TaskCategory=Logon#015
2019-02-21T05:24:16.257287+00:00 192.168.1.172 OpCode=Info#015
2019-02-21T05:24:16.257287+00:00 192.168.1.172 RecordNumber=782#015

marycordova · ‎07-03-2019

Can you send to the 3rd party server direct from the universal forwarder instead of the heavy forwarder? The main job of the heavy forwarder is to do some of the parsing work before sending to the indexers.

@marycordova

spectrum2035 · ‎07-04-2019

i didnt tried it.. can we send it directly to the 3rd party system using UF. My understanding is that we need to HF.

lubinak · ‎02-22-2019

Help Please

spectrum2035 · ‎07-03-2019

hello, whether you were able to fix it? I am having same issue as well.

FrankVl · ‎07-03-2019

The data in this old question looks like raw data to me. This is just plain windows logs being sent line by line over syslog and then the syslog server writing it to disk adding a timestamp and hostname (ip address in this case) in front of each line (because syslog thinks each line is an event).

Getting rid of timestamp and hostname is probably just a matter of using a different template for writing to disk on the syslog server. Same for the #15, that is the syslog daemon replacing the carriage return (\r) control character with something readable. There is a syslog setting to disable that: $EscapeControlCharactersOnReceive off

In general I think it is a really bad idea to send this kind of complex multiline events over syslog like this. That is bound to get messed up somehow as syslog daemons are not very good at dealing with multiline data.

spectrum2035 · ‎07-03-2019

Hi FrankVI,

Thanks for your reply.. I did $EscapeControlCharactersOnReceive off enabled this one but it cuts off the data. I have posted a question in the Splunk answers (Windows Event logs sending to syslog) https://answers.splunk.com/answers/756494/windows-event-logs-sending-to-syslog.html

Forward Logs to Third Party Syslog Server - Not able to receive log data as _raw data in Third Party Syslog Server

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!