Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Heavy Forwarder to RSA Security Analytics

tmarlette
Motivator
‎01-30-2015 10:47 AM

So i have an interesting problem, and I figure I would ask for some ideas on here.

I have a large stream of secure and unsecure data going to a Heavy forwarder. Currently we are black holing some of the secure data, but we would like to take that data and ship it to an RSA SA appliance. My question is how can I do that?

Can I just write a stanza somewhere and have it send that data to a difference IP and port?
Also, I assume RSA doesn't speak splunk, so will it appear in a format usable by RSA? maybe forward it as syslog?

Just doing a brain storm right now, so idea's are helpful.

Thank you!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

tmarlette
Motivator
‎02-09-2015 02:02 PM

This is simply answered in the documentation:

http://docs.splunk.com/Documentation/Splunk/6.2.1/Forwarding/Routeandfilterdatad

View solution in original post

0 Karma
Reply
Solved! Jump to solution

ejenson_splunk
Splunk Employee
Splunk Employee
‎06-02-2015 04:24 AM

If you are planning on forwarding data to RSA in syslog then in RSA set “rfc3164hdr_enable” to “true” on the VLC. This allows RSA to pull the host value from the syslog event as opposed to pulling it from the tcp header which is the default.

0 Karma
Reply
Solved! Jump to solution
Solution

tmarlette
Motivator
‎02-09-2015 02:02 PM

This is simply answered in the documentation:

http://docs.splunk.com/Documentation/Splunk/6.2.1/Forwarding/Routeandfilterdatad

0 Karma
Reply
Solved! Jump to solution

nychawk
Communicator
‎07-09-2015 09:00 AM

Just curious, what solution did you actually use to do this?

Were their any issues?

What on the RSA SA appliance was required?

Thank you,

-mi

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Think Like an Architect: Introducing the Splunk Certified Cybersecurity Defense ...

In cybersecurity, defenders respond to threats. Architects design the systems that stop them.    As ...

Index This | What has goals but no motivation?

June 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Deep Dive: Accelerate threat investigation with Splunk’s AI Assistant in Security

AI is one of the biggest topics in the market today, and for security teams, its value goes far beyond the ...