Getting Data In

Route syslog from heavy forwarder to 3rd party, but only WinEventLogs?

eblackburn
Path Finder

We are sending logs received by our heavy forwarder to a 3rd-party syslog server. We thought we had it configured so that only WinEventLogs are being forwarded to the 3rd party, but it turns out they're getting everything (sourcetypes they don't need, etc). What is the best way to filter out all of these other events? Either from the universal forwarders to the HF, or from the HF to the 3rd party.

For background, here's our basic setup. I'll post our config further down.

UFs -> Heavy Forwarder -> 3rd party syslog-ng server

The UFs themselves have two tcpouts: one to our indexers, and the other is the heavy forwarder. They are otherwise identical.

The heavy forwarder has a props, transforms, and output that is supposed to only route WinEventLog:* to the syslog destination. It has a separate outputs.conf that tells it to turn off local indexing and disable the forwarderindex.filter (maybe this it the problem; not sure). We don't seem to have anything specifically telling the HF not to send anything except for WinEventLogs to the syslog destination; not sure how to implement that, if it's needed.

[One side note, we eventually need to send dhcp logs to the 3rd-party. Right now, they're getting there, but the "source" is actually showing as the heavy forwarder. They're configured on the UFs to go to a different index from the Windows event logs, but I would need to stop the inserting of the heavy forwarder as the source, and allow for that index to be sent from the HF to the 3rd party. I might save this all for a different discussion post, but just throwing it out there.]

Heavy forwarder props.conf:

[source::WinEventLog:*]

SEDCMD-tabreplace = s/(?m-s)[\r\n]+/ /g

TRANSFORMS-routing = 3rdparty

Heavy forwarder transforms.conf

[3rdparty]

REGEX =.

SOURCE_KEY=MetaData:Host

DEST_KEY =_SYSLOG_ROUTING

FORMAT =to3rdparty

Heavy forwarder outputs.conf

[syslog]

defaultGroup = to3rdparty

 

[syslog:to3rdparty]

sendCookedData=false

server = 1.1.1.1:1111 (3rd-party syslog server)

type = udp

disabled = false

priority = <13>

maxEventSize = 16384

timestampformat = %b %d %H:%M:%S

 

UF outputs.conf:
[tcpout:our_HF]
server= <HF info>
useACK=true
#sendCookedData = false
forceTimebasedAutoLB = false

UF inputs.conf

[default]
_TCP_ROUTING=primary_indexers,our_HF
evt_resolve_ad_obj = 0

 

Thank you for any help!

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...