Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Syslog Forwarding Filtering

tsocyberoperati
Loves-to-Learn Lots
‎09-24-2024 11:24 AM

Hello,

Imagine you have hundreds of Windows Universal Forwarders each sending three sources to your "Heavy Forwarders" then forwarded to the Indexers.

Imagine you want to send just one of the sources, source A, of one of those Universal Forwarders, host A, via Syslog to a 3rd Party.

 

Is there an "elegant way" of filtering just that specific source of that specific host to be sent via syslog on the "Heavy Forwarders"/Indexers?

Thank you

Labels (3)
Tags (1)
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎09-24-2024 11:29 PM

Hi @tsocyberoperati ,

you have to follow the instructions at https://docs.splunk.com/Documentation/Splunk/9.3.1/Forwarding/Forwarddatatothird-partysystemsd#Forwa...

in props.conf

[host::hostA]
TRANSFORMS-hostA = send_to_syslog

in transforms.conf

[send_to_syslog]
REGEX = .
DEST_KEY = _SYSLOG_ROUTING
FORMAT = my_syslog_group

where my_syslog_group is the stanza in outputs.conf.

Ciao.

Giuseppe

0 Karma
Reply

tsocyberoperati
Loves-to-Learn Lots
‎09-25-2024 02:18 AM

Thank you Giuseppe.

But the problem is related to filtering just one of the sources of that host.

If you place a REGEX that is able to catch only the events of that specific source, you're good to go.

But imagine you don't have a REGEX that can catch all the events of that source. how can you filter?

 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎09-25-2024 05:43 AM

Hi @tsocyberoperati ,

in props.conf you can choose a source or an host to filter.

If choosing the source, you can find with a regex the hostname in your logs you can solve your issue:

e.g. if your source is "/opt/tmp/files/myfile.txt" and the host name is contained in the logs and it's "my_host", you could try:

in props.conf

[source::/opt/tmp/files/myfile.txt]
TRANSFORMS-hostA = send_to_syslog

in transforms.conf

[send_to_syslog]
REGEX = my_host
DEST_KEY = _SYSLOG_ROUTING
FORMAT = my_syslog_group

The only limit is that the hostname must be contained in all events..

Ciao.

Giuseppe

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎09-25-2024 12:00 PM

This is not a reliable way. If any other host mentions the host we're after, such event will get routed to syslog...

Reply

gcusello
SplunkTrust
SplunkTrust
‎09-25-2024 11:37 PM

Hi @tsocyberoperati ,

the @PickleRick 's hint is correct, but you can use this approach finding a correct regex to identify the hosts.

Ciao.

Giuseppe

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎09-25-2024 03:46 AM

You _probably_ (haven't tested it myself but I don't see why it shouldn't work) could do it using INGEST_EVAL.

Something like

 

[host::hostA]
TRANSFORMS-hostA = send_to_syslog
[send_to_syslog]
REGEX = .
INGEST_EVAL = _SYSLOG_ROUTING=if(source="whatever","my_syslog_group",null())

 

EDIT: OK, there is obvously a much easier way I forgot about.

[send_to_syslog]
REGEX = /somewhere/my/source/file.txt
SOURCE_KEY = MetaData:Source
DEST_KEY = _SYSLOG_ROUTING
FORMAT = my_syslog_group
0 Karma
Reply
Get Updates on the Splunk Community!

What the End of Support for Splunk Add-on Builder Means for You

Hello Splunk Community! We want to share an important update regarding the future of the Splunk Add-on Builder ...

Solve, Learn, Repeat: New Puzzle Channel Now Live

Welcome to the Splunk Puzzle PlaygroundIf you are anything like me, you love to solve problems, and what ...

Building Reliable Asset and Identity Frameworks in Splunk ES

 Accurate asset and identity resolution is the backbone of security operations. Without it, alerts are ...