Getting Data In

Splunk Forwarding audittrail data to third party system via syslog not working

stevepraz
Path Finder

Attempting to forward audittrail sourcetype data via syslog to our existing SIEM. I have a similar setup already working for non-internal index data, but for some reason, the config does not appear to be sending data. There is an metrics.log value that I use to see the data coming off Splunk to that output and there is nothing there. Also, nothing is showing up in the SIEM.

Here is my config:

props.conf

[audittrail]
TRANSFORMS-audittrail = send_to_syslog

transforms.conf

[send_to_syslog]
REGEX = .
DEST_KEY = _SYSLOG_ROUTING
FORMAT = siem_syslog_group

outputs.conf

[syslog:siem_syslog_group]
maxEventSize = 4096
server = servernamehere:514
0 Karma

nicolas_perreau
Explorer

Hi stevepraz,

You may already found the answer since, but in case here's the recipe :

props.conf

 [audittrail]
 TRANSFORMS-audittrail = send_to_syslog

transforms.conf

 [send_to_syslog]
 REGEX = .
 DEST_KEY = _TCP_ROUTING
 FORMAT = siem_syslog_group

outputs.conf

[tcpout]
indexAndForward = true
defaultGroup = NoForwarding

[tcpout:siem_syslog_group]
maxEventSize = 4096
server = servernamehere:514
sendCookedData = false
0 Karma

jkat54
SplunkTrust
SplunkTrust

Where have you put the props, transforms and outputs? Is this a distributed environment?

If its a single instance, then this needs to be in $splunk_home/etc/system/local. If it is a distributed environment, you'll have to make those changes in same location but on all servers.

0 Karma
*NEW* Splunk Love Promo!
Snag a $25 Visa Gift Card for Giving Your Review!

It's another Splunk Love Special! For a limited time, you can review one of our select Splunk products through Gartner Peer Insights and receive a $25 Visa gift card!

Review:





Or Learn More in Our Blog >>