Getting Data In

Splunk audit log in syslog output

Communicator

I have my splunk instance set up to receive data on a TCP port, sourcetype it, then output it with to a Splunk receiver using the forwarder/receiver configuration. Everything is okay with that, my problem comes in when I try to configure a syslog output, as talked about http://www.splunk.com/base/Documentation/4.1.2/Admin/Forwarddatatothird-partysystems and http://www.splunk.com/base/Documentation/4.0/Admin/ForwardtosyslogorHTTP

The remote server receives the data as I intended, but it also receives a whole bunch of Splunk audit events, particularly whenever a user uses the web interface.

outputs.conf:

[syslog]
defaultGroup=logserver

[syslog:logserver]
server = logserver:12345
type = tcp
sendCookedData = false

props.conf:

[to-be-syslogged]
TRANSFORMS-syslog = send_to_syslog

transforms.conf:

[send_to_syslog]
REGEX = .*
DEST_KEY = _SYSLOG_ROUTING
FORMAT = logserver

It is my understanding that the bracket inside of props.conf specifies the sourcetype that I would like output to syslog. I have also tried host::* (and various iterations of server names), and source::tcp:5557 (the port that these particular entries are coming in on) to no avail.

The logs I am seeing on my syslog server include the logs I am looking for, but also have multiple entries such as:

<13>Audit:[timestamp=05-19-2010 14:52:32.090, user=admin, action=admin_all_objects, info=granted ][n/a]

Any ideas?

Thanks

Path Finder

Have you tried removing:

[syslog]
defaultGroup=logserver

from your outputs.conf?

As I read it and from my own experience it might change the behaviour from what you intend. Otherwise it looks good. If all else fails you can use REGEX = to negate certain log entries.

Communicator

definitely not, just raw TCP stream -> splunk -> syslog

0 Karma

Motivator

Am I reading this correctly in that you are doing Server -> Syslog -> Splunk Forwarder -> Syslog -> Splunk Indexer?

0 Karma

Communicator

Had the same problem. If you are using a regular forwarder (not a lightweight), you need to configure the indexer to receive the data using splunktcp instead of tcp. You can either user the default splunktcp port 9997, or add a new one. To add a new splunktcp to the indexer, navigate to: Manager >> Forwarding and Receiving >> Receive Data >> add new. Specify the port number. You will need to configure the forwarder to set sourcetype.

From the input.conf documentation

[splunktcp://:]
* This is the same as TCP, except the remote server is assumed to be a Splunk server.

Worked for me!

0 Karma

Super Champion

Correction: Events coming from either normal splunk forwarders or lightweight splunk forwarders should both be received using the splunktcp input.

State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!