Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Splunk Forwarding audittrail data to third party system via syslog not working

stevepraz
Path Finder
‎05-20-2016 08:04 AM

Attempting to forward audittrail sourcetype data via syslog to our existing SIEM. I have a similar setup already working for non-internal index data, but for some reason, the config does not appear to be sending data. There is an metrics.log value that I use to see the data coming off Splunk to that output and there is nothing there. Also, nothing is showing up in the SIEM.

Here is my config:

props.conf

[audittrail]
TRANSFORMS-audittrail = send_to_syslog

transforms.conf

[send_to_syslog]
REGEX = .
DEST_KEY = _SYSLOG_ROUTING
FORMAT = siem_syslog_group

outputs.conf

[syslog:siem_syslog_group]
maxEventSize = 4096
server = servernamehere:514
0 Karma
Reply

nicolas_perreau
Explorer
‎09-22-2017 12:18 PM

Hi stevepraz,

You may already found the answer since, but in case here's the recipe :

props.conf

 [audittrail]
 TRANSFORMS-audittrail = send_to_syslog

transforms.conf

 [send_to_syslog]
 REGEX = .
 DEST_KEY = _TCP_ROUTING
 FORMAT = siem_syslog_group

outputs.conf

[tcpout]
indexAndForward = true
defaultGroup = NoForwarding

[tcpout:siem_syslog_group]
maxEventSize = 4096
server = servernamehere:514
sendCookedData = false
0 Karma
Reply

jkat54
SplunkTrust
SplunkTrust
‎05-23-2016 08:09 AM

Where have you put the props, transforms and outputs? Is this a distributed environment?

If its a single instance, then this needs to be in $splunk_home/etc/system/local. If it is a distributed environment, you'll have to make those changes in same location but on all servers.

0 Karma
Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...