Solved: Heavy Forwarder to RSA Security Analytics

tmarlette · ‎01-30-2015

So i have an interesting problem, and I figure I would ask for some ideas on here.

I have a large stream of secure and unsecure data going to a Heavy forwarder. Currently we are black holing some of the secure data, but we would like to take that data and ship it to an RSA SA appliance. My question is how can I do that?

Can I just write a stanza somewhere and have it send that data to a difference IP and port?
Also, I assume RSA doesn't speak splunk, so will it appear in a format usable by RSA? maybe forward it as syslog?

Just doing a brain storm right now, so idea's are helpful.

Thank you!

tmarlette · ‎02-09-2015

This is simply answered in the documentation:

http://docs.splunk.com/Documentation/Splunk/6.2.1/Forwarding/Routeandfilterdatad

View solution in original post

ejenson_splunk · ‎06-02-2015

If you are planning on forwarding data to RSA in syslog then in RSA set “rfc3164hdr_enable” to “true” on the VLC. This allows RSA to pull the host value from the syslog event as opposed to pulling it from the tcp header which is the default.

tmarlette · ‎02-09-2015

This is simply answered in the documentation:

http://docs.splunk.com/Documentation/Splunk/6.2.1/Forwarding/Routeandfilterdatad

nychawk · ‎07-09-2015

Just curious, what solution did you actually use to do this?

Were their any issues?

What on the RSA SA appliance was required?

Thank you,

-mi

Heavy Forwarder to RSA Security Analytics

Index This | A sphere has three, a circle has two, and a point has zero. What is it?

Build Scalable Security While Moving to Cloud - Guide From Clayton Homes

Mission Control | Explore the latest release of Splunk Mission Control (2.3)