Attempting to forward audittrail sourcetype data via syslog to our existing SIEM. I have a similar setup already working for non-internal index data, but for some reason, the config does not appear to be sending data. There is an metrics.log value that I use to see the data coming off Splunk to that output and there is nothing there. Also, nothing is showing up in the SIEM.
Here is my config:
props.conf
[audittrail]
TRANSFORMS-audittrail = send_to_syslog
transforms.conf
[send_to_syslog]
REGEX = .
DEST_KEY = _SYSLOG_ROUTING
FORMAT = siem_syslog_group
outputs.conf
[syslog:siem_syslog_group]
maxEventSize = 4096
server = servernamehere:514
Hi stevepraz,
You may already found the answer since, but in case here's the recipe :
props.conf
[audittrail]
TRANSFORMS-audittrail = send_to_syslog
transforms.conf
[send_to_syslog]
REGEX = .
DEST_KEY = _TCP_ROUTING
FORMAT = siem_syslog_group
outputs.conf
[tcpout]
indexAndForward = true
defaultGroup = NoForwarding
[tcpout:siem_syslog_group]
maxEventSize = 4096
server = servernamehere:514
sendCookedData = false
Where have you put the props, transforms and outputs? Is this a distributed environment?
If its a single instance, then this needs to be in $splunk_home/etc/system/local. If it is a distributed environment, you'll have to make those changes in same location but on all servers.