I am collecting Sysmon logs via Splunk UF in XML format (renderXml=true). I need to forward some specific Sysmon events to QRadar without XML formatting. I would like to keep sending all Sysmon events in XML format to Splunk.
I tried to make two different stanzas in inputs.conf trying to ingest the same log in two different ways but it does not seem to work.
It looks like Splunk merge these two together in runtime.
The idea was to filter non-XML events on HF by using props.conf, transforms.conf and SYSLOGROUTING to send it to QRadar.
[WinEventLog://Microsoft-Windows-Sysmon/Operational] disabled = 0 renderXml = true index = sysmon [WinEventLog://Microsoft-Windows-Sysmon/Operational] disabled = 0 renderXml = false index = sysmon whitelist = 1,22
Possibly two forwarders on the same host and put one rule on each forwarder?
Collect remotely using WMI and let a Heavy Forwarder route to QRadar https://docs.splunk.com/Documentation/Splunk/latest/Data/MonitorWindowseventlogdata#Use_WMI
Write code to query the data from the Splunk REST API, reformat message, and post to to QRadar https://docs.splunk.com/Documentation/Splunk/latest/RESTUM/RESTusing
PowerShell script to periodically query events and either write to a new log, post to Splunk HTTP Event Collector, or directly to QRadar https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.diagnostics/get-winevent?vie... https://docs.splunk.com/Documentation/Splunk/latest/Data/HECExamples
Splunk Data Stream Processor https://www.splunk.com/en_us/software/stream-processing.html
you could try to create a symbolic link and use the second stanza pointing to the symbolic link file.
I'm sure of this solution on Linux because I used it, I never tested it on Windows!