Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Heavy Forwarder to RSA Security Analytics

tmarlette
Motivator
‎01-30-2015 10:47 AM

So i have an interesting problem, and I figure I would ask for some ideas on here.

I have a large stream of secure and unsecure data going to a Heavy forwarder. Currently we are black holing some of the secure data, but we would like to take that data and ship it to an RSA SA appliance. My question is how can I do that?

Can I just write a stanza somewhere and have it send that data to a difference IP and port?
Also, I assume RSA doesn't speak splunk, so will it appear in a format usable by RSA? maybe forward it as syslog?

Just doing a brain storm right now, so idea's are helpful.

Thank you!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

tmarlette
Motivator
‎02-09-2015 02:02 PM

This is simply answered in the documentation:

http://docs.splunk.com/Documentation/Splunk/6.2.1/Forwarding/Routeandfilterdatad

View solution in original post

0 Karma
Reply
Solved! Jump to solution

ejenson_splunk
Splunk Employee
Splunk Employee
‎06-02-2015 04:24 AM

If you are planning on forwarding data to RSA in syslog then in RSA set “rfc3164hdr_enable” to “true” on the VLC. This allows RSA to pull the host value from the syslog event as opposed to pulling it from the tcp header which is the default.

0 Karma
Reply
Solved! Jump to solution
Solution

tmarlette
Motivator
‎02-09-2015 02:02 PM

This is simply answered in the documentation:

http://docs.splunk.com/Documentation/Splunk/6.2.1/Forwarding/Routeandfilterdatad

0 Karma
Reply
Solved! Jump to solution

nychawk
Communicator
‎07-09-2015 09:00 AM

Just curious, what solution did you actually use to do this?

Were their any issues?

What on the RSA SA appliance was required?

Thank you,

-mi

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk App Dev Community Updates – What’s New and What’s Next

Welcome to your go-to roundup of everything happening in the Splunk App Dev Community! Whether you're building ...

The Latest Cisco Integrations With Splunk Platform!

Join us for an exciting tech talk where we’ll explore the latest integrations in Cisco + Splunk! We’ve ...

Enterprise Security Content Update (ESCU) | New Releases

In April, the Splunk Threat Research Team had 2 releases of new security content via the Enterprise Security ...
li.common.scroll-to.top