Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Can you help me forward Windows events to a 3rd party system?

ikulcsar
Communicator
‎09-19-2018 01:22 AM

Hi,

I am trying to forward the Windows events from Splunk to a 3rd party syslog system. I checked the docs and also several answers here.

I have a Search head, an Indexer and Universal Forwarder (UF) agents on the source Windows servers. (Splunk version 7.1.3)
The UFs forward all the events to the indexer with no problems. The IX forwards all(?) — or at least most —of the required events to the 3rd party system, but also is forwarding some other syslog messages (received from VMware vcenter) which it should not do.

What am I doing wrong?

The outputs.conf on the IX:

[syslog]
[syslog:external]
server=192.168.10.134:514
priority=NO_PRI

The transforms.conf on the IX:

[send_to_syslog]
 REGEX = .
 DEST_KEY=_SYSLOG_ROUTING
 FORMAT=external

I am using Windows TA v4.8.4. I tried to found how to configure to forward all the system/application/security events and nothing else.
So I added the the following code to several place in props.conf:

TRANSFORMS-external = send_to_syslog

Regards,
István

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

harsmarvania57
Ultra Champion
‎09-19-2018 03:31 AM

Hi @ikulcsar,

Can you please provide props.conf configuration from Indexers?
You need to configure props.conf on Indexer for only those sourcetype from which you want to send traffic to 3rd party.
For example if you want to forward only WinEventLog:Application and WinEventLog:Security to syslog server in that case props.conf should be like this.

[WinEventLog:Application]
TRANSFORMS-external = send_to_syslog

[WinEventLog:Security]
TRANSFORMS-external = send_to_syslog

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

harsmarvania57
Ultra Champion
‎09-19-2018 03:31 AM

Hi @ikulcsar,

Can you please provide props.conf configuration from Indexers?
You need to configure props.conf on Indexer for only those sourcetype from which you want to send traffic to 3rd party.
For example if you want to forward only WinEventLog:Application and WinEventLog:Security to syslog server in that case props.conf should be like this.

[WinEventLog:Application]
TRANSFORMS-external = send_to_syslog

[WinEventLog:Security]
TRANSFORMS-external = send_to_syslog
0 Karma
Reply
Solved! Jump to solution

ikulcsar
Communicator
‎09-19-2018 05:00 AM

Hi,

Thx. I found the problem which caused the non-requested syslog forwarding... I forget to delete some config from the prev. test...

The Windows TA v4.8.4 a little messy, at least for me. I didn't find 3 identical stanzas for the System/App/Security events...
Finally, these are I choose:

[source::WinEventLog:System]
TRANSFORMS-external = send_to_syslog

[WinEventLog:Application]
TRANSFORMS-external = send_to_syslog

[source::*:Security]
TRANSFORMS-external = send_to_syslog

So far looks good. Thx.

0 Karma
Reply
Solved! Jump to solution

harsmarvania57
Ultra Champion
‎09-19-2018 05:05 AM

You can use below configuration in props.conf which is easy to understand because all 3 stanza uses sourcetypes.

[WinEventLog:Application]
TRANSFORMS-external = send_to_syslog

[WinEventLog:Security]
TRANSFORMS-external = send_to_syslog

[WinEventLog:System]
TRANSFORMS-external = send_to_syslog
0 Karma
Reply
Solved! Jump to solution

ikulcsar
Communicator
‎09-19-2018 05:15 AM

Thx, works.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...