Re: Splunk Forwarding audittrail data to third par...

stevepraz · ‎05-20-2016

Attempting to forward audittrail sourcetype data via syslog to our existing SIEM. I have a similar setup already working for non-internal index data, but for some reason, the config does not appear to be sending data. There is an metrics.log value that I use to see the data coming off Splunk to that output and there is nothing there. Also, nothing is showing up in the SIEM.

Here is my config:

props.conf

[audittrail]
TRANSFORMS-audittrail = send_to_syslog

transforms.conf

[send_to_syslog]
REGEX = .
DEST_KEY = _SYSLOG_ROUTING
FORMAT = siem_syslog_group

outputs.conf

[syslog:siem_syslog_group]
maxEventSize = 4096
server = servernamehere:514

nicolas_perreau · ‎09-22-2017

Hi stevepraz,

You may already found the answer since, but in case here's the recipe :

props.conf

 [audittrail]
 TRANSFORMS-audittrail = send_to_syslog

transforms.conf

 [send_to_syslog]
 REGEX = .
 DEST_KEY = _TCP_ROUTING
 FORMAT = siem_syslog_group

outputs.conf

[tcpout]
indexAndForward = true
defaultGroup = NoForwarding

[tcpout:siem_syslog_group]
maxEventSize = 4096
server = servernamehere:514
sendCookedData = false

jkat54 · ‎05-23-2016

Where have you put the props, transforms and outputs? Is this a distributed environment?

If its a single instance, then this needs to be in $splunk_home/etc/system/local. If it is a distributed environment, you'll have to make those changes in same location but on all servers.

Splunk Forwarding audittrail data to third party system via syslog not working

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Announcing Modern Navigation: A New Era of Splunk User Experience

Detection Engineering Office Hours: Real-World Troubleshooting & Q&A

Developer Spotlight with Mika Borner

Join the Conversation