Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Add a new field in indexing time from data received via HEC

corti77
Contributor
‎10-31-2023 07:52 AM

Hi,

I am using Splunk 9.0.6, and I configured HEC + Syslog Connector for Splunk for the data ingestion.

At the moment, I receive events from our two different firewall (PaloAlto and Stormshield). My problem arises with the fact that Stormshield is not directly supported by SC4S, so the extracted fields are not CIM compliant.

More precisely, the field action should contain blocked or allowed as possible values, but it contains pass and block instead.

My question is how it would be the best way to implement this transformation.

I tried creating the following files in the path 

C:\Program Files\Splunk\etc\apps\splunk_httpinput\local

props.conf

[StormShield:StormShield]
TRANSFORMS = rewriteaction

transform.conf

[rewriteaction]
EVAL-action = case(action="pass", "allowed", action="block", "blocked" , 1=1, "UNKNOWN")

I restarted Splunk, but nothing really happened.

Any idea of what I am doing wrong? 

Many thanks.

 

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

PickleRick
SplunkTrust
SplunkTrust
‎10-31-2023 09:59 AM

This is something you typically do in the search-head layer. It has nothing to do with HEC.

And you're mixing different things here - EVAL-* entries belong directly in props.conf, not in transforms.conf stanza. And again - if you have a bigger environment than an all-in-one setup, this goes into the search-head tier.

View solution in original post

Reply
Solved! Jump to solution

corti77
Contributor
‎11-01-2023 04:13 AM

hi @PickleRick , yes, I am a bit confused about the philosophy behind all these files.

We have only one single server, so I guess it has to be configured there. You mentioned that has nothing to do with HEC, so where should I place the props.conf file? At /etc/system/local ?

cheers

0 Karma
Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎11-01-2023 05:50 AM

While in an all-in-one scenario it might not be that important, it's useful to remember that you should avoid putting anything in etc/system/local.

Apart from that, you can put it "anywhere" - see how Splunk merges the separate files into effective config https://docs.splunk.com/Documentation/Splunk/9.1.1/Admin/Wheretofindtheconfigurationfiles

0 Karma
Reply
Solved! Jump to solution
Solution

PickleRick
SplunkTrust
SplunkTrust
‎10-31-2023 09:59 AM

This is something you typically do in the search-head layer. It has nothing to do with HEC.

And you're mixing different things here - EVAL-* entries belong directly in props.conf, not in transforms.conf stanza. And again - if you have a bigger environment than an all-in-one setup, this goes into the search-head tier.

Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...