I have hundreds of UF (universal forwarders) setup and sending wineventlogs to our splunk cloud instance.
There is a requirement to also send the wineventlogs to our parent company, but they have logrhythm.
I have setup a separate app under apps/logrhythm and it's successfully sending data to both splunk cloud and the logrhythm collector.
The log rhythm collector sadly can't parse the data, so tried to change the it to XML via the renderXML directive via the below.
[WinEventLog://Application] index = wineventlog renderXml = true disabled = 0 [WinEventLog://Security] index = wineventlog renderXml = true disabled = 0 [WinEventLog://System] index = wineventlog renderXml = true disabled = 0
[tcpout] defaultGroup = logrhythm,splunkcloud [tcpout:logrhythm] server = <Servername>:514 sendCookedData = falsecompressed = false dnsResolutionInterval = 60
Sadly, this also sends XML format windows event logs to our splunk instance in the cloud - this completely mangles it and doesn't match all our other data sent with wineventlog
What is the best way to send wineventlog data, as set previously, to splunk cloud and XML wineventlog data to logrhythm??
Tried and failed 😞
We are sending directly from the UF -> Splunk cloud.
I was thinking of configuring all the Windows UFs to send to a heavy forwarder, which can then send to the logrhythm collector - I guess I should be able to parse that data and mangle it so that logrhythm can understand it.
We don't want the parent company anywhere near our server estate, so no Logrhythm collector on the servers ;D
Have you talked to your parent company about switching to Splunk? 😉
Just kidding. First, are you sending directly from the UFs to Splunk Cloud? Or are you sending to an intermediate forwarder first? If you have an intermediate forwarder with that data feed already, you are in luck and have some flexibility.
If you are sending straight to Splunk Cloud, the only option I see is still an intermediate forwarder running Splunk Enterprise. Keep in mind, if you do this, you will need a license for that intermediate forwarder if you don't already have one. If you route both feeds through the intermediate forwarder, you won't get hit twice on the license ingest meter. This also introduces a single point of failure. If that matters, which I'm sure it does, you'll want two or more of these.
Finally, could just stick an agent provided by LogRhythm on the boxes. But that's advice for another forum.
So I've installed and licensed the heavy forwarder, configured it to send to the logrhythm collector.
I think I need to change the props.conf or transforms.conf file to change the data from the ingressed splunk UF, into a format understandable by logrhythm.
Should I be placing that in the etc\system\local directory? So when it sends the data onwards, it's in a format logrhythm can understand?
Take a look at this documentation. That's the beginning of what you will need to do.
You will need a props stanza (I recommend basing it on the sourcetype) to call two transforms. One targets Splunk Cloud directly, the other targets LogRhythm. And the two tcpouts to match up with the transforms.
That seems to be working.
I still have an issue where the HF is sending (non XML) windows event logs to the thirdparty (logrhythm) server.
Any idea how I can convert (on the HF) the output to be XML for windows Event logs?
On the HF I've tried in outputs.conf
[tcpout] defaultGroup = default-autolb-group indexAndForward = 0 [tcpout:default-autolb-group] server = <server>:514 renderXml=true sendCookedData = false [tcpout-server://<server>:514] renderXml=true
But I can't get it to send over the input from the UF and send it on as XML....
OK, progress... how is your regex? 😉
renderXML won't work on an output stanza. Somehow we need to pipe the feed into a (hopefully native) XML transformation.
Or possibly do it the other way around... rendering XML at the UFWs and reconstructing to a "normal" event on the HFW side.
I'm not sure which is better or worse TBH. I don't have a Windows box to play with either.
Now that I think of it...
Your appetite may vary... what about doing native Windows Event Forwarding to the intermediate forwarder you just created... take your feed from there with LogRhythm and leave Splunk out of the equation. Your UFW config would go back to the way it was, sending data straight to Splunk Cloud, and you use the WEF feed to do what needs to be done for the corporate/parent company requirement.