Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Ingesting same Windows log with two different input stanzas

dkarbowski
Engager
‎03-06-2020 05:19 AM

I am collecting Sysmon logs via Splunk UF in XML format (renderXml=true). I need to forward some specific Sysmon events to QRadar without XML formatting. I would like to keep sending all Sysmon events in XML format to Splunk.

I tried to make two different stanzas in inputs.conf trying to ingest the same log in two different ways but it does not seem to work.

It looks like Splunk merge these two together in runtime.

The idea was to filter non-XML events on HF by using props.conf, transforms.conf and _SYSLOG_ROUTING to send it to QRadar.

[WinEventLog://Microsoft-Windows-Sysmon/Operational]
disabled = 0
renderXml = true
index = sysmon

[WinEventLog://Microsoft-Windows-Sysmon/Operational]
disabled = 0
renderXml = false
index = sysmon
whitelist = 1,22
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

bandit
Motivator
‎03-06-2020 05:28 AM

Spitballing...

  1. Possibly two forwarders on the same host and put one rule on each forwarder?
    https://www.splunk.com/en_us/blog/tips-and-tricks/running-two-universal-forwarders-on-windows.html

  2. Collect remotely using WMI and let a Heavy Forwarder route to QRadar https://docs.splunk.com/Documentation/Splunk/latest/Data/MonitorWindowseventlogdata#Use_WMI

  3. Write code to query the data from the Splunk REST API, reformat message, and post to to QRadar https://docs.splunk.com/Documentation/Splunk/latest/RESTUM/RESTusing

  4. PowerShell script to periodically query events and either write to a new log, post to Splunk HTTP Event Collector, or directly to QRadar https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.diagnostics/get-winevent?vie... https://docs.splunk.com/Documentation/Splunk/latest/Data/HECExamples

  5. Splunk Data Stream Processor https://www.splunk.com/en_us/software/stream-processing.html

View solution in original post

Reply
Solved! Jump to solution

jamesjarrett
Path Finder
‎06-01-2021 12:30 PM

Look into "CLONE_SOURCETYPE"? or maybe this here. sorry for the hit n run...
https://community.splunk.com/t5/Getting-Data-In/How-can-I-use-CLONE-SOURCETYPE-to-send-a-cloned-modi...

0 Karma
Reply
Solved! Jump to solution

gcusello
Esteemed Legend
‎03-07-2020 12:22 AM

Hi @dkarbowski,
you could try to create a symbolic link and use the second stanza pointing to the symbolic link file.
I'm sure of this solution on Linux because I used it, I never tested it on Windows!

Ciao.
Giuseppe

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎03-07-2020 05:03 AM

That would work for a file, which this is not.

Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎03-06-2020 11:03 AM

Not possible. You will need to install the UF twice in order to accomplish this.

0 Karma
Reply
Solved! Jump to solution
Solution

bandit
Motivator
‎03-06-2020 05:28 AM

Spitballing...

  1. Possibly two forwarders on the same host and put one rule on each forwarder?
    https://www.splunk.com/en_us/blog/tips-and-tricks/running-two-universal-forwarders-on-windows.html

  2. Collect remotely using WMI and let a Heavy Forwarder route to QRadar https://docs.splunk.com/Documentation/Splunk/latest/Data/MonitorWindowseventlogdata#Use_WMI

  3. Write code to query the data from the Splunk REST API, reformat message, and post to to QRadar https://docs.splunk.com/Documentation/Splunk/latest/RESTUM/RESTusing

  4. PowerShell script to periodically query events and either write to a new log, post to Splunk HTTP Event Collector, or directly to QRadar https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.diagnostics/get-winevent?vie... https://docs.splunk.com/Documentation/Splunk/latest/Data/HECExamples

  5. Splunk Data Stream Processor https://www.splunk.com/en_us/software/stream-processing.html

Reply
Get Updates on the Splunk Community!

Dashboard Studio Challenge - Learn New Tricks, Showcase Your Skills, and Win Prizes!

Reimagine what you can do with your dashboards. Dashboard Studio is Splunk’s newest dashboard builder to ...

Introducing Edge Processor: Next Gen Data Transformation

We get it - not only can it take a lot of time, money and resources to get data into Splunk, but it also takes ...

Take the 2021 Splunk Career Survey for $50 in Amazon Cash

Help us learn about how Splunk has impacted your career by taking the 2021 Splunk Career Survey. Last year’s ...