Getting Data In

BeyondTrust Retina logs through Splunk HTTP Event Collector

Path Finder

I am trying to on board Retina logs through HTTP Event Collector, however I am not having any luck on it.

Firewall has been opened, and I can see it being allowed, but it is not reaching the HEC.
We can see the below error when we try
SplunkClient.SendApiRequest failed with error 'The remote server returned an error:(404) Not Found'.

Not sure where the issue is, we have tried couple of different end points. However, I can use curl to send data. Has anyone on boarded data through HTTP Event Collector for BeyondTrust Retina?

0 Karma

Path Finder

Has there been any update on this?

0 Karma

Path Finder

Yeah we finally got it working. It was firewall issue.

0 Karma

Path Finder

How did you configure BeyondTrust to send via the HTTP Event Collector?

0 Karma

Path Finder

Or do you have a link to any documentation?

0 Karma

Path Finder

Well, I don't own Beyond Trust application. However, they provided me access to console to troubleshoot. I just needed to add the following on the configuration page of BT
Host Name:
Port:
Splunk Index:
Splunk Sourcetype:
Splunk Source:

Then at the bottom they had a panel to checkmark what to send or something similar

0 Karma

Path Finder

Ahh, yeah I don't see the configuration page on BT. Unless you are referring to Tools-->Alerting-->Actions, but that doesnt have anything Splunk related other than the host value to send to

0 Karma

Path Finder

No. It was under Configure -> Connectors

Do you have that options? I got access through the webpage, not the actual console

0 Karma

Path Finder

I believe we are on an older version, working to get it updated now. Are you using a TA for the props / transforms or just built your extractions custom?

0 Karma

Path Finder

I don't have any props or transforms as of now.

0 Karma

Path Finder

I believe since the data does not come through raw, it is considered already "cooked" and no index-time extractions can be applied. We are missing a severity field as well as the timestamp being 4 hours off. This is using the Splunk HEC connector. We might have to default back to syslog! Thanks for the help!

0 Karma

Path Finder

Yeah time is off. Haven't had time to do a research on how to fix it. Props doesn't work either.

0 Karma

Path Finder

But one thing I noticed was test didn't have issues as the logs didn't have any time on it. So it took indexing time. But the real logs have time, and gets screwed.

0 Karma

Path Finder

I Agree. Have had similar issues

0 Karma