Re: How to forward logs of a specific source to a ...

rgb22 · ‎02-17-2017

Hello guys,

we are working with a Heavy forwarder and its receiving logs from a lot of sources and of course sending them into a Splunk Indexer. However, now I'm trying add the functionality to forward (firewall) logs of a specific sourcetype via syslog to another instance which is not from Splunk using a certificate.

I tried the steps of the documentation but i wasn't able to do it work properly. Can you give me some help with this please?

PD: The documentation i was using: http://docs.splunk.com/Documentation/Splunk/6.5.2/Forwarding/Forwarddatatothird-partysystemsd

Thanks you in advance

mwdbhyat · ‎02-20-2017

Can you describe more about the issue you are facing ? Is there an error you are getting or is it just not forwarding anything ?

rgb22 · ‎02-20-2017

Thanks for your response.

I'm receiving firewall logs into a heavy forwarder and i need to send those logs to 1) Splunk indexers and 2) McAfee SIEM using certificate for the second. but i have no idea how to do it, I tried to send syslogs to another instance and it worked but i dont know how to do it using certificate. Ofcourse it needs to be a certificate who can work with splunk and mcfee

mwdbhyat · ‎02-21-2017

So the issue lies with the certificates then and not the forwarding/routing ?

rgb22 · ‎02-21-2017

Yes, thats exactly my issue.

In addition: I was making some test and i was able to send those logs to another instance but if you have a guide like "better practices" to do this, i would be very grateful.

How to forward logs of a specific source to a third-party, non-Splunk system using a certificate?

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases