Getting Data In
Highlighted

Splunk Forwarding audittrail data to third party system via syslog not working

Path Finder

Attempting to forward audittrail sourcetype data via syslog to our existing SIEM. I have a similar setup already working for non-internal index data, but for some reason, the config does not appear to be sending data. There is an metrics.log value that I use to see the data coming off Splunk to that output and there is nothing there. Also, nothing is showing up in the SIEM.

Here is my config:

props.conf

[audittrail]
TRANSFORMS-audittrail = send_to_syslog

transforms.conf

[send_to_syslog]
REGEX = .
DEST_KEY = _SYSLOG_ROUTING
FORMAT = siem_syslog_group

outputs.conf

[syslog:siem_syslog_group]
maxEventSize = 4096
server = servernamehere:514
0 Karma
Highlighted

Re: Splunk Forwarding audittrail data to third party system via syslog not working

SplunkTrust
SplunkTrust

Where have you put the props, transforms and outputs? Is this a distributed environment?

If its a single instance, then this needs to be in $splunk_home/etc/system/local. If it is a distributed environment, you'll have to make those changes in same location but on all servers.

0 Karma
Highlighted

Re: Splunk Forwarding audittrail data to third party system via syslog not working

Hi stevepraz,

You may already found the answer since, but in case here's the recipe :

props.conf

 [audittrail]
 TRANSFORMS-audittrail = send_to_syslog

transforms.conf

 [send_to_syslog]
 REGEX = .
 DEST_KEY = _TCP_ROUTING
 FORMAT = siem_syslog_group

outputs.conf

[tcpout]
indexAndForward = true
defaultGroup = NoForwarding

[tcpout:siem_syslog_group]
maxEventSize = 4096
server = servernamehere:514
sendCookedData = false
0 Karma