SC4S, how do I write raw message into a directory?

karn · ‎07-07-2023

Hi,

I want to sc4s to receive syslog and I want sc4s to write raw message into a directory. However, it doesn't write the raw message. There are only export messages (json) write into archive folder. What is my mistake? And which the directory was written to.

Thank you

########### env_file ############

SPLUNK_HEC_URL=https://xx.xx.xx.xx:8088
SPLUNK_HEC_TOKEN=xxxxxxxxxxxxxxxxxxxxx
SC4S_DEST_SPLUNK_HEC_TLS_VERIFY=no
#SC4S_USE_REVERSE_DNS=yes

SC4S_LISTEN_FORTINET_UDP_PORT=514

SC4S_GLOBAL_ARCHIVE_MODE=compliance
SC4S_ARCHIVE_GLOBAL=yes

SC4S_SOURCE_STORE_RAWMSG=yes
SC4S_DEST_GLOBAL_ALTERNATES=d_hec_debug,d_archive,d_rawmsg

woodcock · ‎12-21-2024

I, too, am having this problem. We are working from this document:

https://splunk.github.io/splunk-connect-for-syslog/2.30.1/troubleshooting/troubleshoot_resources/

SC4S, how do I write raw message into a directory?

HTTP Event Collector

Linux

syslog

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Announcing Modern Navigation: A New Era of Splunk User Experience

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

Join the Conversation

SC4S, how do I write raw message into a directory?

HTTP Event Collector

Linux

syslog

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Announcing Modern Navigation: A New Era of Splunk User Experience

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...