Getting Data In

Using Splunk Forwarder to Forward to ArcSight

splunkwelhammeu
Engager

I've read
http://www.splunk.com/base/Documentation/latest/Deploy/Forwarddatatothird-partysystemsd
And this looks possible, although with limitations.
I'm particularly thinking of forwarding to an existing ArcSight Logger instance.

Has any one tried this, and what were their experiences?

Also how would licensing and support work in this model.

MEsquandolas
New Member

I got it working. Splunk is now sending all Syslog events to my third party SIEM Receiver.

I am using Splunk free standalone on Win2K8 R2

in the /etc/system/local folder, edit the following .conf files (if they do not already exist, simply create them)

props.conf
[source::udp:514]
TRANSFORMS-fwd2syslogout = syslogout

transforms.conf
[syslogout]
REGEX = .
DEST_KEY = _SYSLOG_ROUTING
FORMAT = udpserver

outputs.conf
[syslog:udpserver]
server = 1.1.1.1 (server where you want to send syslog)

Good luck all.
,I have figured out how to get Splunk to forward out syslog. (in my case to McAfee SIEM Event Receiver)

I am using a free Splunk stand alone implementation on a Windows 2008 R2 System in my lab.

My .conf files have been placed in \Splunk\etc\system\local - if they are not there already, make them

  1. outputs.conf
    [syslog:udpserver]
    server = 10.10.10.10 (IP of system you want to forward logs to)

  2. transforms.conf
    [syslogout]
    REGEX = .
    DEST_KEY = _SYSLOG_ROUTING
    FORMAT = udpserver

  3. props.conf
    [source::udp:514]
    TRANSFORMS-fwd2syslogout = syslogout

Hope this helps.

0 Karma

bgamblin
Explorer

If you only want to forward log files from a specific directory on the universal forwarder to arcsight, don't you also need a inputs.conf somewhere? I'm already sending *.debug in rsyslog.conf, but now they want some log files watched as well.

0 Karma

ramsanka
New Member

I am trying to forward the data (simple logs) from a universal forwarder to a Archsight logger. For achieving this I am passing the IP address of the Archsight logger and the port number. I am passing the default TCP server credentials that are there for the Archsight logger. Still I do not see the logs getting established. is there any other configuration that needs to be done on the outputs.conf file. or logs that i can use to debug the issue further.

Is there any config we need to establish in the archsight logger to ensure that the data comes from the splunkforwarder.

0 Karma

tjohnson2
Explorer

Have you made any progress with this? I have this requirement as well, haven't started the setup yet but was interested in finding out if you found a solution.

My plan was to follow the instructions above and send the raw data from the heavy forwarder before the data is indexed.

0 Karma

ramsanka
New Member

Yes it works. Simply make changes to the output.conf pointing to the ArchSight Logger and ensure the data is not cooked. I could see the raw data being recieved in the Archsight Logger.

0 Karma

tjohnson2
Explorer

Awesome, thank you!

0 Karma

jbsplunk
Splunk Employee
Splunk Employee

We have people doing this, and as long as the data is sent out in a syslog format, things should work without an issue. There shouldn't really be any limitations, we should be able to send out anything we've indexed with the rawdata contained within the event. What kind of limitations were you concerned about?

I haven't done this myself, so I can't speak to direct experiences, but I have spoken with people who have done this.

Licensing counts data which has been indexed by Splunk. What happens when that data is sent to a third party isn't going to affect the license as the data was already written to an index within Splunk. You don't need any additional licensing to implement this functionality. Support won't be affected in any way, but it ends where the data leaves the Indexer.

0 Karma

jbsplunk
Splunk Employee
Splunk Employee

Well, you could do it from a heavy forwarder, because data is parsed there, but only after it has been indexed. That means you'd need to have an index configured and would be using licensing volume. There isn't a way to do this without having the data indexed. Again, nothing here that affects support, but your licensing will be impacted.

tjohnson2
Explorer

I understand using the Heavy Forwarder to send data to ArcSight, but can you also modify the Outputs.conf file on the Universal Forwarder as well to forward raw data to ArcSight before Indexing?

0 Karma

cmorenobuitrago
Explorer

Late but valid for future queries 🙂

It is possible to forward raw events from the UF by adding the following info to the outputs.conf:

sendCookedData = false

0 Karma

splunkwelhammeu
Engager

Thank you for the prompt answer,

From what you have said are we only able to forward log data from an indexer and not directly from a forwarder (without an indexer)?

If we can send data from a Splunk forwarder directly to ArcSight how is licensing / support impacted.

0 Karma
Get Updates on the Splunk Community!

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

🍂 Fall into November with a fresh lineup of Community Office Hours, Tech Talks, and Webinars we’ve ...

Transform your security operations with Splunk Enterprise Security

Hi Splunk Community, Splunk Platform has set a great foundation for your security operations. With the ...

Splunk Admins and App Developers | Earn a $35 gift card!

Splunk, in collaboration with ESG (Enterprise Strategy Group) by TechTarget, is excited to announce a ...