Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Heavy Forwarder to RSA Security Analytics

tmarlette
Motivator
‎01-30-2015 10:47 AM

So i have an interesting problem, and I figure I would ask for some ideas on here.

I have a large stream of secure and unsecure data going to a Heavy forwarder. Currently we are black holing some of the secure data, but we would like to take that data and ship it to an RSA SA appliance. My question is how can I do that?

Can I just write a stanza somewhere and have it send that data to a difference IP and port?
Also, I assume RSA doesn't speak splunk, so will it appear in a format usable by RSA? maybe forward it as syslog?

Just doing a brain storm right now, so idea's are helpful.

Thank you!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

tmarlette
Motivator
‎02-09-2015 02:02 PM

This is simply answered in the documentation:

http://docs.splunk.com/Documentation/Splunk/6.2.1/Forwarding/Routeandfilterdatad

View solution in original post

0 Karma
Reply
Solved! Jump to solution

ejenson_splunk
Splunk Employee
Splunk Employee
‎06-02-2015 04:24 AM

If you are planning on forwarding data to RSA in syslog then in RSA set “rfc3164hdr_enable” to “true” on the VLC. This allows RSA to pull the host value from the syslog event as opposed to pulling it from the tcp header which is the default.

0 Karma
Reply
Solved! Jump to solution
Solution

tmarlette
Motivator
‎02-09-2015 02:02 PM

This is simply answered in the documentation:

http://docs.splunk.com/Documentation/Splunk/6.2.1/Forwarding/Routeandfilterdatad

0 Karma
Reply
Solved! Jump to solution

nychawk
Communicator
‎07-09-2015 09:00 AM

Just curious, what solution did you actually use to do this?

Were their any issues?

What on the RSA SA appliance was required?

Thank you,

-mi

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | When is October more than just the tenth month?

October 2025 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What’s New & Next in Splunk SOAR

 Security teams today are dealing with more alerts, more tools, and more pressure than ever.  Join us for an ...