Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

SC4S parser

L_Petch
Path Finder
‎07-31-2025 03:04 AM

Hello,

 

I need to send all syslog data from opnsense to a specific index. As this is not a known vender source what is the easiest way to do this? I have seen that you can create a parser based on certain factors so guessing this would be the easiest way? If so does anyone have a good parser guide?

Labels (1)
Labels
0 Karma
Reply

livehybrid
SplunkTrust
SplunkTrust
‎07-31-2025 05:21 AM

Hi @L_Petch 

If you havent already, check out https://splunk.github.io/splunk-connect-for-syslog/2.44.2/gettingstarted/create-parser/ which has a guide on how to create custom parsers. This is probably the best way because it prevents finding a potentially fragile alternative process for identifying and routing the data (e.g. when it lands in Splunk with Props/Transforms).

Here is a sample to get you started:
In /opt/sc4s/local/config/app_parsers/

# app-opnsense.conf
application app-opnsense[sc4s-network-source] {
    filter {
        program("filterlog" flags(prefix))
        or program("opnsense" flags(prefix))
        or host("opnsense*" type(glob))
        or message("opnsense" flags(substring))
    };
    parser {
        p_set_netsource_fields(
            vendor("pfsense")  # Use pfsense as base
            product("opnsense")
        );
    };
};

Then create the destination in /opt/sc4s/local/config/destinations/:

# dest-opnsense.conf
destination d_opnsense {
    splunk(
        class(splunk_hec)
        template("$(format-splunk-hec)")
        hec_token("YOUR_HEC_TOKEN")
        url("https://your-splunk:8088/services/collector/event")
        index("opnsense")
        source("${.splunk.source}")
        sourcetype("opnsense:syslog")
    );
};

log {
    source(s_network);
    filter(f_is_source_identified);
    if (match("opnsense" value("fields.sc4s_vendor"))) {
        destination(d_opnsense);
        flags(flow-control,final);
    };
};

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

Reply

L_Petch
Path Finder
‎07-31-2025 06:03 AM

Hi @livehybrid,

 

Thanks for this. I looked at the parsing documentation earlier. Is there not a simpler way to do this as I don't need to rewrite fields etc as I have a TA doing it. All I need is if syslog from this HOST/IP then send to index=opnsense, is this achievable with one parser config or is what you already stated the only way of doing it?

0 Karma
Reply
Get Updates on the Splunk Community!

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...

Splunk App Developers | .conf25 Recap & What’s Next

If you stopped by the Builder Bar at .conf25 this year, thank you! The retro tech beer garden vibes were ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...