Getting Data In

Splunk Forwarding audittrail data to third party system via syslog not working

stevepraz
Path Finder

Attempting to forward audittrail sourcetype data via syslog to our existing SIEM. I have a similar setup already working for non-internal index data, but for some reason, the config does not appear to be sending data. There is an metrics.log value that I use to see the data coming off Splunk to that output and there is nothing there. Also, nothing is showing up in the SIEM.

Here is my config:

props.conf

[audittrail]
TRANSFORMS-audittrail = send_to_syslog

transforms.conf

[send_to_syslog]
REGEX = .
DEST_KEY = _SYSLOG_ROUTING
FORMAT = siem_syslog_group

outputs.conf

[syslog:siem_syslog_group]
maxEventSize = 4096
server = servernamehere:514
0 Karma

nicolas_perreau
Explorer

Hi stevepraz,

You may already found the answer since, but in case here's the recipe :

props.conf

 [audittrail]
 TRANSFORMS-audittrail = send_to_syslog

transforms.conf

 [send_to_syslog]
 REGEX = .
 DEST_KEY = _TCP_ROUTING
 FORMAT = siem_syslog_group

outputs.conf

[tcpout]
indexAndForward = true
defaultGroup = NoForwarding

[tcpout:siem_syslog_group]
maxEventSize = 4096
server = servernamehere:514
sendCookedData = false
0 Karma

jkat54
SplunkTrust
SplunkTrust

Where have you put the props, transforms and outputs? Is this a distributed environment?

If its a single instance, then this needs to be in $splunk_home/etc/system/local. If it is a distributed environment, you'll have to make those changes in same location but on all servers.

0 Karma
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

New Release of Federated Search: Bringing Splunk Analytics to More of Your Data

Organizations today are generating more data than ever and storing it across cloud object stores, data lakes, ...

Inside Event Intelligence: How ITSI Turns Network Alerts into Actionable Incidents

Tech Talk Inside Event Intelligence: How ITSI Turns Network Alerts into Actionable Incidents   Correlating ...

Observability Simplified: Combining User Experience, Application Performance & ...

  Tech Talk Network to App: Observability Unlocked   Today’s digital environments span applications, ...