Getting Data In
Highlighted

How to pull logs into Splunk from Proofpoint via APIs or any other methods from a Proofpoint Cloud instance?

Contributor

Has anyone done Splunk and Proofpoint Cloud instance integration? I am looking for help to pull the logs from Proofpoint via APIs or any other methods from the Proofpoint cloud instance.

Highlighted

Re: How to pull logs into Splunk from Proofpoint via APIs or any other methods from a Proofpoint Cloud instance?

Contributor

Was anyone able to figure this out yet?

0 Karma
Highlighted

Re: How to pull logs into Splunk from Proofpoint via APIs or any other methods from a Proofpoint Cloud instance?

Communicator

Proofpoint POD has an additional license "remote syslog forwarding" one can purchase to send logs from the cloud to onprem via TLS syslog stream. Then their TA https://splunkbase.splunk.com/app/3080/ can be utilized.

View solution in original post

Highlighted

Re: How to pull logs into Splunk from Proofpoint via APIs or any other methods from a Proofpoint Cloud instance?

Contributor

I finally got a call from them and that's exactly what they said.

0 Karma
Highlighted

Re: How to pull logs into Splunk from Proofpoint via APIs or any other methods from a Proofpoint Cloud instance?

Communicator

After finally getting the infra set up to receive the TLS encrypted syslogs.... ran into some serious issues with their TA_PPS app. Support engaged. Waiting on response for what's next or a new release.

Highlighted

Re: How to pull logs into Splunk from Proofpoint via APIs or any other methods from a Proofpoint Cloud instance?

New Member

how did you overcome requirement for PFS in the tls cipher? Did you use an intermediary syslog server? or adjust the splunk TCP ssl input encryption cipher?

0 Karma
Highlighted

Re: How to pull logs into Splunk from Proofpoint via APIs or any other methods from a Proofpoint Cloud instance?

Communicator

Logs flow to an intermediate RedHat server running rsyslog (which this version only supports up to TLS 1.1, but still can receive the logs from POD). Splunk UF picks up the syslog files and forwards onto the indexers.

0 Karma
Highlighted

Re: How to pull logs into Splunk from Proofpoint via APIs or any other methods from a Proofpoint Cloud instance?

Contributor

literally the worst.. can't believe it's not API driven.

0 Karma
Highlighted

Re: How to pull logs into Splunk from Proofpoint via APIs or any other methods from a Proofpoint Cloud instance?

Path Finder

Point taken. We are moving to an API driven TA and app for our next release. Look for the beta to come our around .Conf18

0 Karma
Highlighted

Re: How to pull logs into Splunk from Proofpoint via APIs or any other methods from a Proofpoint Cloud instance?

Explorer

As identified, Secure syslog is supported and following guidance from Splunk we utilized a intermediary syslog server with syslog-ng before forwarding to a Splunk Indexer.

The TA is not needed, fairly straight forward to construct your own parser for the MTA log information. Have not used the APIs yet for the threat information, but will be valuable to have alongside the raw MTA information.

0 Karma