Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

how to remove timestamp and host of heavy forwarder from data when it being forwarded to 3rd party system

prathamesh_aug3
New Member
‎11-05-2017 01:04 AM

Hi,

I have heavy forwarder which sending data to indexers, at the same time it sending same data to Qradar SEIM.

For indexer receiving data correctly with no issue. But when I am sending to Qradar system it appends extra header to packets with forwarders as the sending hosts and the time it was forwarded, not the original MPLS ASA time.

I am using ‘syslog’ in the outputs.conf and This allows us to use “type = udp” which Qradar expects and prefers.

If I use "no_appending_timestamp = true" in input.conf I am afraid that it will impact indexer sending also, which is currently working fine.

My input.conf looks like:

[monitor:///splunk/splunkdata/catch_all/.../*.log]
sourcetype = syslog
index = main
host_segment = 4
recursive = true
ignoreOlderThan = 3d
disabled = false

and outpu.conf with Qradar stanza

[syslog:Qradar_Output]
server = qradar server hostname:514

Can you please help me with setting where i can remove extra header for forwarder timestamp and host name without impacting my indexer receiving data.

Thanks

Tags (1)
0 Karma
Reply

esix_splunk
Splunk Employee
Splunk Employee
‎11-05-2017 07:54 PM

If you're referring to the SPlunk Syslogout processor, by default Splunk will put in hostname and timestamp. A work around for this is to use TCPOUT, and set it to UDP.

https://docs.splunk.com/Documentation/Splunk/7.0.0/Admin/Outputsconf#TCPOUT_ATTRIBUTES----

[TCPOUT:qradar]
sendCookedData = false

Do be aware if the Qradar / Syslog receiver on the other side is down, there is potential for indexing queues to be blocked. So you should look at adjusting the queuesize, blockoncloning, and dropevents settings..

Reply

prathamesh_aug3
New Member
‎11-06-2017 03:03 AM

We tried using sendCookedData = false with tcpout but it dont send any data to Qradar

  1. Send data using ‘tcpout’ in the outputs.conf.

    This allows the records to go out “un-cooked” (sendCookedData = false) and without any additional packet changes. Qradar did not seems to see these packets in our test yesterday. Not sure why.

  2. Send the data using ‘syslog’ in the outputs.conf

    This allows us to use “type = udp” which Qradar expects and prefers. Qradar got all the packets we sent, But it adds extra headers on the packets with our forwarders as the sending hosts and the time it was forwarded, not the original MPLS ASA time.

0 Karma
Reply

koshyk
Super Champion
‎11-05-2017 09:41 AM

it is strange. Are you sure, your syslog engine/server is NOT inserting the timestamp? By default the Splunk's Forward syslog data timestampformat is empty . https://docs.splunk.com/Documentation/SplunkCloud/6.6.3/Forwarding/Forwarddatatothird-partysystemsd

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...