Re: Splunk Connect For Syslog - Since Upgrade From...

beano501 · ‎06-01-2022

I have the following line in my splunk_metadata.csv to forward forcepoint proxy logs to the index called proxy_forcepoint. This worked when running the latest 1.x release.

Post upgrade, some of the events still go into the index above (these have the sc4s_vendor_product field set to forcepoint), whereas other events are delivered to the lastchanceindex (these to not have a field sc4s_vendor_product)

Looking in app-syslog-forcepoint_webprotect.conf (from the source from 2.29 source), Forcepoint messages are recognised by "vendor=Forcepoint" (which all messages have), and if Product is "Security" (which all messages have) - then the rewrite rule should set "product("webprotect")".

So I cannot see what is obviously wrong in the configuration or events, or how to investigate the events to set the line in splunk_metadata.csv appropriately to get the routing to happen as I wish

All help appreciated

Random_Walk · ‎06-02-2022

> I have the following line in my splunk_metadata.csv

I don't see any line there sir.

beano501 · ‎06-06-2022

Doh 😞

forcepoint_webprotect,index,proxy_forcepoint

Splunk Connect For Syslog - Since Upgrade From 1.x to 2.29.0, why are Fortigate Events not forwarding correctly?

syslog

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?