I've read
http://www.splunk.com/base/Documentation/latest/Deploy/Forwarddatatothird-partysystemsd
And this looks possible, although with limitations.
I'm particularly thinking of forwarding to an existing ArcSight Logger instance.
Has any one tried this, and what were their experiences?
Also how would licensing and support work in this model.
I got it working. Splunk is now sending all Syslog events to my third party SIEM Receiver.
I am using Splunk free standalone on Win2K8 R2
in the /etc/system/local folder, edit the following .conf files (if they do not already exist, simply create them)
props.conf
[source::udp:514]
TRANSFORMS-fwd2syslogout = syslogout
transforms.conf
[syslogout]
REGEX = .
DEST_KEY = _SYSLOG_ROUTING
FORMAT = udpserver
outputs.conf
[syslog:udpserver]
server = 1.1.1.1 (server where you want to send syslog)
Good luck all.
,I have figured out how to get Splunk to forward out syslog. (in my case to McAfee SIEM Event Receiver)
I am using a free Splunk stand alone implementation on a Windows 2008 R2 System in my lab.
My .conf files have been placed in \Splunk\etc\system\local - if they are not there already, make them
outputs.conf
[syslog:udpserver]
server = 10.10.10.10 (IP of system you want to forward logs to)
transforms.conf
[syslogout]
REGEX = .
DEST_KEY = _SYSLOG_ROUTING
FORMAT = udpserver
props.conf
[source::udp:514]
TRANSFORMS-fwd2syslogout = syslogout
Hope this helps.
If you only want to forward log files from a specific directory on the universal forwarder to arcsight, don't you also need a inputs.conf somewhere? I'm already sending *.debug in rsyslog.conf, but now they want some log files watched as well.
I am trying to forward the data (simple logs) from a universal forwarder to a Archsight logger. For achieving this I am passing the IP address of the Archsight logger and the port number. I am passing the default TCP server credentials that are there for the Archsight logger. Still I do not see the logs getting established. is there any other configuration that needs to be done on the outputs.conf file. or logs that i can use to debug the issue further.
Is there any config we need to establish in the archsight logger to ensure that the data comes from the splunkforwarder.
Have you made any progress with this? I have this requirement as well, haven't started the setup yet but was interested in finding out if you found a solution.
My plan was to follow the instructions above and send the raw data from the heavy forwarder before the data is indexed.
Yes it works. Simply make changes to the output.conf pointing to the ArchSight Logger and ensure the data is not cooked. I could see the raw data being recieved in the Archsight Logger.
Awesome, thank you!
We have people doing this, and as long as the data is sent out in a syslog format, things should work without an issue. There shouldn't really be any limitations, we should be able to send out anything we've indexed with the rawdata contained within the event. What kind of limitations were you concerned about?
I haven't done this myself, so I can't speak to direct experiences, but I have spoken with people who have done this.
Licensing counts data which has been indexed by Splunk. What happens when that data is sent to a third party isn't going to affect the license as the data was already written to an index within Splunk. You don't need any additional licensing to implement this functionality. Support won't be affected in any way, but it ends where the data leaves the Indexer.
Well, you could do it from a heavy forwarder, because data is parsed there, but only after it has been indexed. That means you'd need to have an index configured and would be using licensing volume. There isn't a way to do this without having the data indexed. Again, nothing here that affects support, but your licensing will be impacted.
I understand using the Heavy Forwarder to send data to ArcSight, but can you also modify the Outputs.conf file on the Universal Forwarder as well to forward raw data to ArcSight before Indexing?
Late but valid for future queries 🙂
It is possible to forward raw events from the UF by adding the following info to the outputs.conf:
sendCookedData = false
Thank you for the prompt answer,
From what you have said are we only able to forward log data from an indexer and not directly from a forwarder (without an indexer)?
If we can send data from a Splunk forwarder directly to ArcSight how is licensing / support impacted.