Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to filter specific logs and send it as syslog to a third-party host

LittleFatFish
Engager
‎10-30-2024 05:47 AM

Hi all,

I want to send logs (which are part from our sourcetype [kube_audit]) from my HeavyForwarder to a third-party system (in my case SIEM) in syslog-format, and only those, which are caught with the regex defined. Everything else should be sent normally to my Indexers. There exists a documentation, but for my use-case there is no further description. (https://docs.splunk.com/Documentation/Splunk/9.1.3/Forwarding/Routeandfilterdatad#Filter_and_route_e... , https://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Forwarddatatothird-partysystemsd )

I tried to follow the documentation and tried many things. But I end up with my third-party host receiving ALL logs of my sourcetype [kube_audit] instead only a part of it. I checked my regex, as I suspected this would be my point of failure, but there must be some other configurations I am missing, as in a simple setup, the regex works as it is.

My setup for outputs, transforms and props.conf:

props.conf:

 

[kube_audit]
TRANSFORMS-routing = route_to_sentinel

 

transforms.conf:

 

[route_to_sentinel]
REGEX = (?<sentinel>"verb":"create".*"impersonatedUser".*"objectRef":\{"resource":"pods".*"subresource":"exec")
DEST_KEY = _SYSLOG_ROUTING
FORMAT = sentinel_forwarders

 

outputs.conf:

 

[tcpout]
defaultGroup = my_indexers
forwardedindex.filter.disable = true
indexAndForward = false
useACK = true
backoffOnFailure = 5
connectionTTL = 3500
writeTimeout = 100
maxConnectionsPerIndexer = 20

[tcpout:my_indexers]
server=<list_of_servers>

[syslog]
defaultGroup = sentinel_forwarders

[syslog:sentinel_forwarders]
server = mythirdpartyhost:514
type = udp

 

Am I missing something? Any notable things I did miss? Any help is appreciated!

 

Best regards

Labels (4)
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎10-31-2024 12:22 AM

Hi @LittleFatFish ,

what's your issue: you don't send logs to the third party syslog or you send all your logs?

I experienced both the issues.

I solved the first removing:

defaultGroup = my_indexers

in [tcpout] stanza.

Ciao.

Giuseppe

0 Karma
Reply

LittleFatFish
Engager
‎10-31-2024 01:12 AM

Hey @gcusello !

Removing this option from my tcpout stanza would cause, that everything else being logged to my indexer, would not be sent anymore by my heavyforwarder.

My main issue is that my third-party host gets sent everything from my sourcetype kube_audit instead only a specific part (which should include everything matching with my regex). 

So I have a setup, where my heavyforwarder sends a lot to my indexers in my environment, but now for security purposes, we want to send a specific part through the syslogoutputprocessor to a third-party host, which should receive it on port 514 via UDP. Instead of respecting my regex defined in transforms.conf, it sends everything regarding the sourcetype kube_audit defined in my props.conf (what you would expect if "REGEX = (.)" would do).

Any other way you fixed it?

Thanks for helping

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎10-31-2024 01:33 AM

Hi @LittleFatFish ,

in this case, check if the sourcetype in props.conf is correct and especially if it's overrided, maybe when the transformation is applied your events still have the original sourcetype.

Then obviously (but I'm sure that you already did it) check again the regex in transforma.conf.

Ciao.

Giuseppe

Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

Beyond Detection: How Splunk and Cisco Integrated Security Platforms Transform ...

Financial services organizations face an impossible equation: maintain 99.9% uptime for mission-critical ...

Customer success is front and center at .conf25

Hi Splunkers, If you are not able to be at .conf25 in person, you can still learn about all the latest news ...

.conf25 Global Broadcast: Don’t Miss a Moment

Hello Splunkers, .conf25 is only a click away.  Not able to make it to .conf25 in person? No worries, you can ...