Getting Data In

How to filter syslogs to third parties?

gcusello
SplunkTrust
SplunkTrust

Hi everyone,
As usual, I have a strange question:
I need to send a subset of the logs received from an appliance to an external SIEM via syslog, this appliance is a Mobileiron server with a Universal Forwarder embedded in it.
I configured the Heavy Forwarder and sending syslogs works fine.
However, I have the problem that all the logs from the source appliance are sent via syslog and not just a part of them as I would like.
Usually the problem is solved by using _TCP_ROUTING and _SYSLOG_ROUTING in the inputs.conf.
The problem is that the source server is a MobileIron appliance that sends logs through an embedded Universal Forwarder, where I cannot edit the configuration files by hand and therefore cannot enter parameters to select destinations for the various log types.
Can anyone  hint to a workaround to send via syslog only two prefixed sourcetypes, keeping sending all logs to Indexers?
Thanks in advance.

Ciao.

Giuseppe

Labels (1)
Tags (2)
0 Karma

VatsalJagani
SplunkTrust
SplunkTrust

@gcusello - Do you mean to send data to Splunk indexes and clone it to a third-party SIEM solution?

Give it a try with the below configuration on the testing environment to see what happens. (Though I still don't understand why you think ROUTING will not work in your case?)

[my_sourcetype]
TRANSFORMS-routing = route_to_indexers, route_to_third_party_tool

[route_to_indexers]
DEST_KEY = _TCP_ROUTING
FORMAT = my_indexers

[route_to_third_party_tool]
DEST_KEY = _SYSLOG_ROUTING
FORMAT = my_third_party_tool

 

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @VatsalJagani,

thank you for your attention.

as I said, it's a strange situation:

I configured my system as you said and it's sending logs to syslog,

but the problem is that I don't need to send all logs to syslog, but only a part of them and I cannot filter them before sending because _TCP_ROUTING and SYSLOG_ROUTING must be inserted in inputs.conf, but, in my situation, inputs.conf is in a closed appliance so I cannot.

I'm searching for a way to filter logs on the Heavy Forwarder.

Ciao.

Giuseppe

0 Karma

VatsalJagani
SplunkTrust
SplunkTrust

@gcusello - You can do _SYSLOG_ROUTING and _TCP_ROUTING with props.conf and transforms.conf as I suggested. That should allow you to do routing on specific sourcetype or source.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @VatsalJagani,

this is the procedure described in the Splunk documentation and I tried it, but it didn't work and syslogs weren't sent, I also tried to open a case to Splunk Support for a behavior different than documented but they closed it because they didn't find any issue.

So I added _SYSLOG_ROUTING and _TCP_ROUTING to the tcpinput on the HF, in this way syslogs are sent but the filter doesn't run.

Ciao.

Giuseppe

0 Karma

VatsalJagani
SplunkTrust
SplunkTrust

@gcusello 

It should work on HF through props/transforms.

Have you tried running tcpdump on receiving server to check? Have you checked Splunk logs?

If the configuration is okay then Splunk HF should send the data according to the documentation. If not its Splunk issue for sure.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @VatsalJagani,

I runned tcpdump on the same server and no syslog exits from the HF during my first test (without parameters in inputs.conf),

instead tcpdump displays syslog sending with the inputs.conf configuration.

I'll try again, to be more sure, but I already runned this test.

Ciao and thanks.

Giuseppe

0 Karma
Get Updates on the Splunk Community!

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...

Edge Processor Scaling, Energy & Manufacturing Use Cases, and More New Articles on ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Get More Out of Your Security Practice With a SIEM

Get More Out of Your Security Practice With a SIEMWednesday, July 31, 2024  |  11AM PT / 2PM ETREGISTER ...