Hi All,
We have a Splunk and a LogRhythm set up. The Splunk environment existed first so all our devices send syslog to the Splunk Heavy Forwarders.
We now have a LogRhythm set up as well as a (now smaller) Splunk licence.
What I need to do is continue to send whatever hits the heavy forwarders onto LogRhythm as syslog but also cull down and send only certain sourcetypes onto Splunk. Otherwise we need to change the config on 150 devices.
What I have tried to do is
(i) send default TCPOUT to the null queue then do a routing transform on the sourcetypes we want to keep in Splunk.
This hasn't worked because as soon as I set the default TCPOUT to the null queue then LogRhythm stops getting syslog
(ii) send uncooked data to LogRhythm instead of syslog
This hasn't worked either, can work out why though maybe my config is wrong
Current set up
[tcpout]
defaultGroup = lb
useACK = false
[tcpout:lb]
server = 10.90.90.90:9997, 10.90.90.91:9997, 10.90.90.92:9997
autoLB = true
[syslog]
defaultGroup=LR
[syslog:LR]
server = 10.90.90.100:514
Attempted new set up (i)
*** props.conf ***
[cisco_asa]
TRANSFORMS-routing= splunkRouting
[cisco_router]
TRANSFORMS-routing= splunkRouting
*** transforms.conf ***
[splunkRouting]
REGEX=(.)
DEST_KEY=_TCP_ROUTING
FORMAT=allowedEvents
*** outputs.conf ***
[tcpout]
defaultGroup = lb
useACK = false
indexAndForward = 0
[tcpout:lb]
server = 0.0.0.0:0000
[tcpout:allowedEvents]
defaultGroup = splunk_lb
useACK = false
[tcpout:splunk_lb]
server = 10.90.90.90:9997, 10.90.90.91:9997, 10.90.90.92:9997
autoLB = true
[syslog]
defaultGroup=LR
[syslog:LR]
server = 10.90.90.100:514
This set up when applied stops sending syslog to LogRhtyhm
I have also tried sending uncooked data to LogRhythm as per the below
*** props.conf ***
[cisco_asa]
TRANSFORMS-routing= logrhythmRouting
*** transforms.conf ***
[logrhythmRouting]
REGEX=(.)
DEST_KEY=_TCP_ROUTING
FORMAT=lbsplunk,LR
*** outputs.conf ***
[tcpout]
defaultGroup=LR
useACK = false
[tcpout:LR]
server = 10.90.90.100:9997
sendCookedData=false
[tcpout:splunkserver]
defaultGroup=lbsplunk
[tcpout:lbsplunk]
server = 10.90.90.90:9997, 10.90.90.91:9997, 10.90.90.92:9997
autoLB = true
Would there be any way I could approach this as we want to keep using Splunk for our selected gear and let the others use LogRhythm
Try this:
props.conf
[cisco_asa]
TRANSFORMS-routing = logrhythmRouting
transforms.conf
[logrhythmRouting]
REGEX = .
DEST_KEY = _TCP_ROUTING
FORMAT = LR,splunkserver
outputs.conf
[tcpout]
defaultGroup = LR
[tcpout:LR]
server = 10.90.90.100:9997
sendCookedData=false
[tcpout:splunkserver]
server = 10.90.90.90:9997, 10.90.90.91:9997, 10.90.90.92:9997
This should work - it should route everything to LogRhythm, and the cisco_asa
sourcetype to both.
You don't need multiple defaultGroup
statements to make this work, actually that might even break it.
Try this:
props.conf
[cisco_asa]
TRANSFORMS-routing = logrhythmRouting
transforms.conf
[logrhythmRouting]
REGEX = .
DEST_KEY = _TCP_ROUTING
FORMAT = LR,splunkserver
outputs.conf
[tcpout]
defaultGroup = LR
[tcpout:LR]
server = 10.90.90.100:9997
sendCookedData=false
[tcpout:splunkserver]
server = 10.90.90.90:9997, 10.90.90.91:9997, 10.90.90.92:9997
This should work - it should route everything to LogRhythm, and the cisco_asa
sourcetype to both.
You don't need multiple defaultGroup
statements to make this work, actually that might even break it.
Thanks heaps for your help xpac, this works now. I can see traffic heading off to both destinations in packet caps.
Awesome 🙂