Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Heavy Forwarder to RSA Security Analytics

tmarlette
Motivator
‎01-30-2015 10:47 AM

So i have an interesting problem, and I figure I would ask for some ideas on here.

I have a large stream of secure and unsecure data going to a Heavy forwarder. Currently we are black holing some of the secure data, but we would like to take that data and ship it to an RSA SA appliance. My question is how can I do that?

Can I just write a stanza somewhere and have it send that data to a difference IP and port?
Also, I assume RSA doesn't speak splunk, so will it appear in a format usable by RSA? maybe forward it as syslog?

Just doing a brain storm right now, so idea's are helpful.

Thank you!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

tmarlette
Motivator
‎02-09-2015 02:02 PM

This is simply answered in the documentation:

http://docs.splunk.com/Documentation/Splunk/6.2.1/Forwarding/Routeandfilterdatad

View solution in original post

0 Karma
Reply
Solved! Jump to solution

ejenson_splunk
Splunk Employee
Splunk Employee
‎06-02-2015 04:24 AM

If you are planning on forwarding data to RSA in syslog then in RSA set “rfc3164hdr_enable” to “true” on the VLC. This allows RSA to pull the host value from the syslog event as opposed to pulling it from the tcp header which is the default.

0 Karma
Reply
Solved! Jump to solution
Solution

tmarlette
Motivator
‎02-09-2015 02:02 PM

This is simply answered in the documentation:

http://docs.splunk.com/Documentation/Splunk/6.2.1/Forwarding/Routeandfilterdatad

0 Karma
Reply
Solved! Jump to solution

nychawk
Communicator
‎07-09-2015 09:00 AM

Just curious, what solution did you actually use to do this?

Were their any issues?

What on the RSA SA appliance was required?

Thank you,

-mi

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability Cloud's AI Assistant in Action Series: Auditing Compliance and ...

This is the third post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

What You Read The Most: Splunk Lantern’s Most Popular Articles!

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...
Top