Hi Splunkers,
today I'm here not for an issue, or better, not yet, but to "pull all togheter" the components of my task, which is forwarding Splunk data from HF to another system, an Exabeam UEBA in my case. I'm trying to prevent possibile errors I could do in changing the required files, so I may want perform a check here with you to understand if I got all I need from docs. Let me give you more context and introduce the current state.
Which documentation we used? Those one:
Forward data to third-party systems
Route and filter data
Plus I searched other symylar topics here on community and tried to got some results.
So, putting all data togheter, we stated that, because there are not the outputs.conf, props.conf and transforms.conf files in $SPLUNK_HOME/etc/system/local, we must:
If the above assumptions are right, I have some doubts about the files, because some docs points are not complete clear for me. So, suppose we want to to start forward only a subset of Windows EventID with syslog tcp; are the below conf files ok?
outpust.conf:
[syslog:syslogToExabeamGroup]
type = tcp
server = <ipaddress>:<port>
Note that, cause I have to forward only a subset of data, I avoided the defaultGroup settings, like in the sample of Forward data to third-party systems docs.
props.conf:
[<windows_sourcetype_name>]
TRANSFORMS-routing1 = syslog_from_win_to_exabeam
Here I used directly the souretype name and not the syntax sourcetype::<sourcetype_name>; is it correct? Plus, even if in Forward data to third-party systems docs I have the syntax like TRANSFORMS-whatever_you_want, I followd what stated in Route and Filter Data and used a syntax like TRANSFORMS-routingX.
transforms.conf:
[syslog_from_win_to_exabeam]
REGEX = EventID\>(4624|4625|4648|4672|4720|4722|4723|4724|4725|4726|4728|4729|4732|4733|4740|4756|4757|4767|4768|4769|4770|4771|4776|4780|1102|4611|4663|4673|4674|4688|4697|4698|4719|4778|4779|4780|4800|4801|5136|5137|5138|5139|5140|5141|5145|6272)
DEST_KEY = _SYSLOG_ROUTING
FORMAT = syslogToExabeamGroup
The regex has been built based on our logs (we are receiving them in XML format).
It seems all ok but I'm not sure I forgot/done bad some configuration.
Hi @SplunkExplorer,
you don't need to have conf files in system local, it's a best practice to have them in a dedicated app, so the best approach is to modify this app, agreed with the other team.
The links you listed are the correct ones to follow for this job.
I add only one information, that you can also find in one my previous answer: add to your inputs.conf:
_SYSLOG_ROUTING = outpus.conf_syslog_group
_TCP_ROUTING = outpus.conf_other_group
I experienced that without this syslogs aren't sent.
Ciao.
Giuseppe
Hi Giuseppe, thanks for your answer, appreciated as always.
At this point, 3 question arise:
1. For inputs.conf file, we mean the one under $SPLUNK_HOME/etc/system/local/ path?
2. If we don't want develop a new app, can we anyway develop those file under$SPLUNK_HOME/etc/system/local/ path or may us encounter some kind of problem?
3. I searched how to create an app (never perdormed before, only created add-on using add-on builder) and I found this: https://dev.splunk.com/enterprise/docs/developapps/createapps/. The links speaks about creating an app using the Splunk Web GUI; due we need this app on an HF, I have to assume we have to perform this action on HF Web Interface?
Hi @SplunkExplorer,
don't put anything in system local! everything it's always better to put every conf file in an app or a TA (Technical Add-On), otherwise you cannot manage these conf files using a Deployment server!
About inputs.conf, I mean the one where are located the syslogs inputs, I suppose that they are in a dedicated app, if they are in system/local, move them.
To create an app without using GUI, you can use the Add-On builder, or simply clone the folders structures and copy or create conf files in app local folder.
I don't hint to use the web GUI because you have to modify conf files that aren't managed by GUI.
Ciao.
Giuseppe
Thanks giuseppe, I understand.
So, in case I want to use Splunk Add-On builder on another PC (for example, my laptop) I can create it and then upload it directly on HF, for example from Web Gui. Clear.
Hi @SplunkExplorer,
Exactly!
In my opinion, it's easier to clone the folders structure and manually creating or copying conf files by CLI.
Tell me if I can help you more, or, please, for the other people of Community, accept one answer.
Ciao.
Giuseppe
P.S.: Karma Points are appreciated 😉
Hi Giuseppe, we are performing the configuration putting all togheter all the info. Work ongoing.
Thanks a lot.
Hi @SplunkExplorer,
As I said, tell me if I can help you more, or, please, for the other people of Community, accept one answer.
Eventually close this answer and if you need, open a new one, this isn't a Case manager!
Ciao.
Giuseppe
P.S.: Karma Points are appreciated 😉