Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Is there a config available that would push out the same format as Snare from a Heavy Forwarder?

CletisNPT
Explorer
‎12-13-2017 12:08 PM

Is there a config available that would push out the same format as Snare from a Heavy Forwarder? i.e. UniversalForwarder->HeavyForwarder->ForkTo:

  1. Native windows log gets pushed to the indexer in it's original format from the Universal Forwarder.
  2. A copy has the Snare transform applied and pushed out to a third party syslog server.
0 Karma
Reply

CletisNPT
Explorer
‎12-14-2017 09:02 AM

I'm sure there's a way to do it with the transforms and SEDCMD. Was just curious if anyone had accomplished it yet.

0 Karma
Reply

nickhills
Ultra Champion
‎12-15-2017 02:27 AM

You cant reformat the data which would be sent over a raw socket with a transform - it would always be sent as a 'Splunk Formatted' message, but with a little bit of netcat/grep/awk/sed fun you could probably get the data into any format you like - but probably a PITA!

I have just done a very quick google, and it seems that snare can accept syslog messages so this seems like the way to go.

in your outputs/conf

[syslog]
defaultGroup=syslogGroup

[syslog:syslogGroup]
server = <your syslog server>:514

I think thats all it takes!

If my comment helps, please give it a thumbs up!
0 Karma
Reply

nickhills
Ultra Champion
‎12-20-2017 02:20 AM

Did this help you? If you found it useful, please be sure to accept/upvote any posts which helped, as it provides useful feedback for future viewers of your question. Good luck!

If my comment helps, please give it a thumbs up!
0 Karma
Reply

nickhills
Ultra Champion
‎12-14-2017 12:56 AM

You cant reformat the data, however you can send a copy of the raw event via a TCP socket, or alternatively as Syslog.
I am not familiar with Snare, but it sounds like the second option would be most appropriate for you.

http://docs.splunk.com/Documentation/Splunk/7.0.1/Forwarding/Forwarddatatothird-partysystemsd

If my comment helps, please give it a thumbs up!
0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

.conf25 Global Broadcast: Don’t Miss a Moment

Hello Splunkers, .conf25 is only a click away.  Not able to make it to .conf25 in person? No worries, you can ...

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...