Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

SC4S routing configuration not working

L_Petch
Path Finder
‎09-10-2025 06:32 AM

Hello,

 

I am trying to get logs from my opnsense FW to go to an index called prod_opnsense but everything I have tried doesn't seem to make a difference and it still ends up in the LASTCHANCE index.

 

The latest thing I have tried is below but this also does not work,

I added a new port UDP 515 to my env file. I have checked the opnsense device is sending to this port and can see it in TCPDUMP using it and it makes it to the lastchance index so is not being blocked by any firewall rules etc.

SC4S_DEST_SPLUNK_HEC_DEFAULT_URL=https://HF_IP:8088
SC4S_DEST_SPLUNK_HEC_DEFAULT_TOKEN=TOKEN_ID
#Uncomment the following line if using untrusted SSL certificates
SC4S_DEST_SPLUNK_HEC_DEFAULT_TLS_VERIFY=no

#Add additional listening ports
SC4S_LISTEN_OPNSENSE_UDP_PORT=515
SC4S_DEST_GLOBAL_ALTERNATES=d_archive

 

I added a new logpath file /opt/sc4s/local/config/log_paths/opnsense_515.conf.tmpl

filter f_opnsense_515 {
    source(s_src_udp_515);
    # This filter will match the program name "filterlog"
    program("filterlog");
};

# Log statement to process the traffic
log {
    source(s_src_udp_515);
    filter(f_opnsense_515);

    # Set the vendor_product field. This is how SC4S will map the traffic to an index.
    rewrite {
        set("sc4s_vendor_product", "opnsense");
    };

    # Send the processed logs to the Splunk destination
    destination(d_splunks_ops);
};

 

I then added the below to  /opt/sc4s/local/context/splunk_metadata.csv

opnsense,index,prod_opnsense

 

 

Anyone know why this is not working?

Labels (1)
Labels
Tags (1)
0 Karma
Reply

Meett
Splunk Employee
Splunk Employee
‎09-10-2025 05:13 PM

Hello @L_Petch  This seems to be something around parser itself,
Curious around this line : 

destination(d_splunks_ops)

 

I believe you have shared only half parser above...? can you please share all details? specially what does this d_splunks_ops stands for and what is inside that ? You can also raise support case on this matter if needed . 

0 Karma
Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...