Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

SC4S routing configuration not working

L_Petch
Path Finder
‎09-10-2025 06:32 AM

Hello,

 

I am trying to get logs from my opnsense FW to go to an index called prod_opnsense but everything I have tried doesn't seem to make a difference and it still ends up in the LASTCHANCE index.

 

The latest thing I have tried is below but this also does not work,

I added a new port UDP 515 to my env file. I have checked the opnsense device is sending to this port and can see it in TCPDUMP using it and it makes it to the lastchance index so is not being blocked by any firewall rules etc.

SC4S_DEST_SPLUNK_HEC_DEFAULT_URL=https://HF_IP:8088
SC4S_DEST_SPLUNK_HEC_DEFAULT_TOKEN=TOKEN_ID
#Uncomment the following line if using untrusted SSL certificates
SC4S_DEST_SPLUNK_HEC_DEFAULT_TLS_VERIFY=no

#Add additional listening ports
SC4S_LISTEN_OPNSENSE_UDP_PORT=515
SC4S_DEST_GLOBAL_ALTERNATES=d_archive

 

I added a new logpath file /opt/sc4s/local/config/log_paths/opnsense_515.conf.tmpl

filter f_opnsense_515 {
    source(s_src_udp_515);
    # This filter will match the program name "filterlog"
    program("filterlog");
};

# Log statement to process the traffic
log {
    source(s_src_udp_515);
    filter(f_opnsense_515);

    # Set the vendor_product field. This is how SC4S will map the traffic to an index.
    rewrite {
        set("sc4s_vendor_product", "opnsense");
    };

    # Send the processed logs to the Splunk destination
    destination(d_splunks_ops);
};

 

I then added the below to  /opt/sc4s/local/context/splunk_metadata.csv

opnsense,index,prod_opnsense

 

 

Anyone know why this is not working?

Labels (1)
Labels
Tags (1)
0 Karma
Reply

Meett
Splunk Employee
Splunk Employee
‎09-10-2025 05:13 PM

Hello @L_Petch  This seems to be something around parser itself,
Curious around this line : 

destination(d_splunks_ops)

 

I believe you have shared only half parser above...? can you please share all details? specially what does this d_splunks_ops stands for and what is inside that ? You can also raise support case on this matter if needed . 

0 Karma
Reply
Get Updates on the Splunk Community!

Building Reliable Asset and Identity Frameworks in Splunk ES

 Accurate asset and identity resolution is the backbone of security operations. Without it, alerts are ...

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

For Splunk Cloud customers, understanding and optimizing Splunk Virtual Compute (SVC) usage and resource ...

Automatic Discovery Part 3: Practical Use Cases

If you’ve enabled Automatic Discovery in your install of the Splunk Distribution of the OpenTelemetry ...