Getting Data In

Forward windows eventlog to 3rd party system

Path Finder

I need to forward windows eventlog of a particular server to 3rd party system (Arcsight) as raw data.

I created the outputs.conf at local folder and restarted the splunk service.
Then, it looks Arcsight only received sort of splunk log and meta data (windows eventlog) was missed out.

Log forwarding to Splunk server has been working properly.
Can you please let me know how can I make this happen..thanks in advance.

alt text

Here are some data Arcsight received
03-22-2017 19:37:53.078 +0900 INFO HttpPubSubConnection - Running phone uri=/services/broker/phonehome/connection192.168.198.100(port)(windows host)A2ED90B0-3C6A-4AB7-8CC0-BAFCB3C9F8D9
03-22-2017 19:38:03.613 +0900 INFO Metrics - group=deploy-client, name=appdownloads, volumeCompletedKB=0.0
03-22-2017 19:38:03.613 +0900 INFO Metrics - group=deploy-connections, nCurrent=0
03-22-2017 19:38:03.613 +0900 INFO Metrics - group=realtime
searchdata, system total, dropcount=0
03-22-2017 19:37:38.844 +0900 INFO StatusMgr - destHost=(Splunk Indexer host), destIp=192.168.63.200, destPort=9997, eventType=connect_try, publisher=tcpout, sourcePort=8089, statusee=TcpOutputProcessor
03-22-2017 19:37:39.266 +0900 INFO TcpOutputProc - Connected to idx=192.168.63.200:9997

0 Karma
1 Solution

Super Champion

Two ways you can forward
1. TCPOUT
2. Syslog

1. TCPOUT , you can do via Universal Forwarder and is easier.
Just put the settings as below

[tcpout]

[tcpout:arcsight]
server = 192.168.38.100:12345
sendCookedData = false

Things to be careful while doing tcpout are
- Ensure your outputs queue won't be filled up if the ArcSight SErver is not available. This might impact your indexing
- Ensure the syslog-server is listening on 12345 and all firewall is enabled

2. Syslog . This requires Heavy Forwarder
For Syslog you need a transforms.conf as below

[fwd_syslog_to_arcsight]
REGEX = .
DEST_KEY=_SYSLOG_ROUTING
FORMAT=arcsight_out

and in outputs.conf

[arcsight_out]
server = 192.168.38.100:12345
priority=NO_PRI
syslogSourceType=helloMrArcSight

Advantages are
- You can send via UDP and don't care about 3rd party system availability
- Can stick to RFC standards as per syslog and no one can ask you to modify the data. My advice is NEVER touch on raw data and 3rd parties will demand more 🙂

View solution in original post

0 Karma

Super Champion

Two ways you can forward
1. TCPOUT
2. Syslog

1. TCPOUT , you can do via Universal Forwarder and is easier.
Just put the settings as below

[tcpout]

[tcpout:arcsight]
server = 192.168.38.100:12345
sendCookedData = false

Things to be careful while doing tcpout are
- Ensure your outputs queue won't be filled up if the ArcSight SErver is not available. This might impact your indexing
- Ensure the syslog-server is listening on 12345 and all firewall is enabled

2. Syslog . This requires Heavy Forwarder
For Syslog you need a transforms.conf as below

[fwd_syslog_to_arcsight]
REGEX = .
DEST_KEY=_SYSLOG_ROUTING
FORMAT=arcsight_out

and in outputs.conf

[arcsight_out]
server = 192.168.38.100:12345
priority=NO_PRI
syslogSourceType=helloMrArcSight

Advantages are
- You can send via UDP and don't care about 3rd party system availability
- Can stick to RFC standards as per syslog and no one can ask you to modify the data. My advice is NEVER touch on raw data and 3rd parties will demand more 🙂

View solution in original post

0 Karma

Path Finder

Thanks for your comment.
This time, I'd like to use the universal forwarder and actually my outputs.conf was already modified and it didn't work.
Do you have any suspicious points?
I confirmed the syslog-server is listening on 12345.

0 Karma

Path Finder

I confirmed with Splunk support that my configuration seems no issue about using universal forwarder.
I guess root cause is not splunk side.

0 Karma

Builder

This is internal messages to _internal index of Splunk. Have you configured to just forward the WinEventLog:* to Arcsight?
Here you can find information on how to choose the correct data: https://docs.splunk.com/Documentation/Splunk/6.5.2/Forwarding/Forwarddatatothird-partysystemsd

0 Karma

Path Finder

Thanks for your comment.
Yes, I had looked that information and just modified the outputs.conf
Do I need to modify props.conf and transforms.conf ?
At this moment, I'm fine to forward all the logs on this win server.

0 Karma

Builder

Hi, you don`t really need to change the props.conf and transforms.conf unless you want to send just the WinEventLog:* data

0 Karma

Path Finder

Thanks, I understood I don't have to modify the props.conf and transforms.conf

0 Karma