Dashboards & Visualizations
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Ingesting same Windows log with two different input stanzas

dkarbowski
Engager
‎03-06-2020 05:19 AM

I am collecting Sysmon logs via Splunk UF in XML format (renderXml=true). I need to forward some specific Sysmon events to QRadar without XML formatting. I would like to keep sending all Sysmon events in XML format to Splunk.

I tried to make two different stanzas in inputs.conf trying to ingest the same log in two different ways but it does not seem to work.

It looks like Splunk merge these two together in runtime.

The idea was to filter non-XML events on HF by using props.conf, transforms.conf and _SYSLOG_ROUTING to send it to QRadar.

[WinEventLog://Microsoft-Windows-Sysmon/Operational]
disabled = 0
renderXml = true
index = sysmon

[WinEventLog://Microsoft-Windows-Sysmon/Operational]
disabled = 0
renderXml = false
index = sysmon
whitelist = 1,22
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

bandit
Motivator
‎03-06-2020 05:28 AM

Spitballing...

  1. Possibly two forwarders on the same host and put one rule on each forwarder?
    https://www.splunk.com/en_us/blog/tips-and-tricks/running-two-universal-forwarders-on-windows.html

  2. Collect remotely using WMI and let a Heavy Forwarder route to QRadar https://docs.splunk.com/Documentation/Splunk/latest/Data/MonitorWindowseventlogdata#Use_WMI

  3. Write code to query the data from the Splunk REST API, reformat message, and post to to QRadar https://docs.splunk.com/Documentation/Splunk/latest/RESTUM/RESTusing

  4. PowerShell script to periodically query events and either write to a new log, post to Splunk HTTP Event Collector, or directly to QRadar https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.diagnostics/get-winevent?vie... https://docs.splunk.com/Documentation/Splunk/latest/Data/HECExamples

  5. Splunk Data Stream Processor https://www.splunk.com/en_us/software/stream-processing.html

View solution in original post

Reply
Solved! Jump to solution

jamesjarrett
Path Finder
‎06-01-2021 12:30 PM

Look into "CLONE_SOURCETYPE"? or maybe this here. sorry for the hit n run...
https://community.splunk.com/t5/Getting-Data-In/How-can-I-use-CLONE-SOURCETYPE-to-send-a-cloned-modi...

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎03-07-2020 12:22 AM

Hi @dkarbowski,
you could try to create a symbolic link and use the second stanza pointing to the symbolic link file.
I'm sure of this solution on Linux because I used it, I never tested it on Windows!

Ciao.
Giuseppe

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎03-07-2020 05:03 AM

That would work for a file, which this is not.

Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎03-06-2020 11:03 AM

Not possible. You will need to install the UF twice in order to accomplish this.

0 Karma
Reply
Solved! Jump to solution
Solution

bandit
Motivator
‎03-06-2020 05:28 AM

Spitballing...

  1. Possibly two forwarders on the same host and put one rule on each forwarder?
    https://www.splunk.com/en_us/blog/tips-and-tricks/running-two-universal-forwarders-on-windows.html

  2. Collect remotely using WMI and let a Heavy Forwarder route to QRadar https://docs.splunk.com/Documentation/Splunk/latest/Data/MonitorWindowseventlogdata#Use_WMI

  3. Write code to query the data from the Splunk REST API, reformat message, and post to to QRadar https://docs.splunk.com/Documentation/Splunk/latest/RESTUM/RESTusing

  4. PowerShell script to periodically query events and either write to a new log, post to Splunk HTTP Event Collector, or directly to QRadar https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.diagnostics/get-winevent?vie... https://docs.splunk.com/Documentation/Splunk/latest/Data/HECExamples

  5. Splunk Data Stream Processor https://www.splunk.com/en_us/software/stream-processing.html

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Quantify Your Splunk Investment Impact: Introducing Savings Metrics to Value Insights

Building on the foundation established in our initial Value Insights releases, we are introducing the Savings ...

Event Series: Telemetry Pipeline Management

Balancing Scale and Spend: Gaining Control Over High-Volume Metrics in Splunk Observability Cloud As ...

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Evaluating an enterprise observability platform usually goes like this: fill out a form, get a free trial with ...