Getting Data In

BeyondTrust Retina logs through Splunk HTTP Event Collector

sshres5
Communicator

I am trying to on board Retina logs through HTTP Event Collector, however I am not having any luck on it.

Firewall has been opened, and I can see it being allowed, but it is not reaching the HEC.
We can see the below error when we try
SplunkClient.SendApiRequest failed with error 'The remote server returned an error:(404) Not Found'.

Not sure where the issue is, we have tried couple of different end points. However, I can use curl to send data. Has anyone on boarded data through HTTP Event Collector for BeyondTrust Retina?

0 Karma

j0shrice
Path Finder

Has there been any update on this?

0 Karma

sshres5
Communicator

Yeah we finally got it working. It was firewall issue.

0 Karma

j0shrice
Path Finder

How did you configure BeyondTrust to send via the HTTP Event Collector?

0 Karma

j0shrice
Path Finder

Or do you have a link to any documentation?

0 Karma

sshres5
Communicator

Well, I don't own Beyond Trust application. However, they provided me access to console to troubleshoot. I just needed to add the following on the configuration page of BT
Host Name:
Port:
Splunk Index:
Splunk Sourcetype:
Splunk Source:

Then at the bottom they had a panel to checkmark what to send or something similar

0 Karma

j0shrice
Path Finder

Ahh, yeah I don't see the configuration page on BT. Unless you are referring to Tools-->Alerting-->Actions, but that doesnt have anything Splunk related other than the host value to send to

0 Karma

sshres5
Communicator

No. It was under Configure -> Connectors

Do you have that options? I got access through the webpage, not the actual console

0 Karma

j0shrice
Path Finder

I believe we are on an older version, working to get it updated now. Are you using a TA for the props / transforms or just built your extractions custom?

0 Karma

sshres5
Communicator

I don't have any props or transforms as of now.

0 Karma

j0shrice
Path Finder

I believe since the data does not come through raw, it is considered already "cooked" and no index-time extractions can be applied. We are missing a severity field as well as the timestamp being 4 hours off. This is using the Splunk HEC connector. We might have to default back to syslog! Thanks for the help!

0 Karma

sshres5
Communicator

Yeah time is off. Haven't had time to do a research on how to fix it. Props doesn't work either.

0 Karma

sshres5
Communicator

But one thing I noticed was test didn't have issues as the logs didn't have any time on it. So it took indexing time. But the real logs have time, and gets screwed.

0 Karma

j0shrice
Path Finder

I Agree. Have had similar issues

0 Karma

Tune In & Win!

Don't miss out on your
chance to take home free
prizes by helping our players
save the Splunk Cloudom!

Dungeons & Data
Monsters: Splunk O11y
Day Editions Games
stream live:
5/4 at 6:30pm PST
5/5 at 7:00pm PST
on