We are currently in a situation where we need to forward all kinds of events from a customers Splunk installation to a LogRhythm solution. For some reason, this forwarding needs to be done by Syslog - which is fine for all log data sourced from system messages over syslog - but is bad for all log data sourced from Windows event logs.
Why do I think the latter is bad?
Well, we're having problems with getting it right:
Then it is time to introduce the fact that LogRhythm also would like the Windows events to be in XML format. And it introduces some additional fun to the situation:
But how is this solvable? What am I missing on the Splunk side? Are there more to be done on the Windows side to get more or better data into the details and XML? Using XML formatted events must mean that the receiving side can resolve numbered levels, reason codes and whatnots to make it human readable at least at the alerting level.
So, in essence, the real question here is: Have anyone out there any experience with forwarding data to LogRhythm from Splunk?
Any help is deeply appreciated.
Are you sending “cooked” data to LR?
Cooked data has the splunk header with something like this:
*** SPLUNK INDEX=... SOURCETYPE=... SOURCE=... _raw=...
The xml wouldn’t start until after the _raw= which would confuse a schema on ingest app like LR.
There are options on outputs to not send cooked data. The article rich777 mentioned covers the configuration I believe..