All Apps and Add-ons

RSA DLP and Splunk

SYY
New Member

Has anyone tried to feed RSA DLP event logs into Splunk? Someone told me data format can be CEF syslog, but from RSA Enterprise Manager, I can only see raw syslogs.

Can anyone provide an example of what kind of data will I see in Splunk.

Thanks in Advance.

Tags (2)
0 Karma

dwaddle
SplunkTrust
SplunkTrust

If don't see a published TA app for it, chances are nobody else (who can talk about it publically) has been down this road. Make a test index, set up a data feed, see what you get 🙂

0 Karma

jpass
Contributor

"Can anyone provide an example of what kind of data will I see in Splunk"

Splunk won't change the way your logs look if you were to simply view them in Nano or a text editor or something.

If your logs look like this:

2013-10-15 23:44:05 theabyss gonnagetusucka 00012
2013-10-15 23:44:05 bigtroublelilchina mistermom 00015
2013-10-15 23:44:05 inspector jaba 00013
2013-10-15 23:44:05 yogi binks 00019
2013-10-15 23:44:05 boobo daluke 00011

They will end up in splunk looking the same. Although, they will be separated into individual events.

I'm not sure what type of logs you're referring to but I used movie titles and other things that came to mind because it doesn't matter what your logs look like. They go into Splunk and, unless you create some transforms, they won't be changed.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...