Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

VectraAI syslog to Splunk via SC4S

tkrjukoff
New Member
‎07-26-2023 04:02 AM

I have taken over a project from 2 colleagues to install and integrate VectraAI and Splunk.

We have a Vectra X29 as Brain/Sensor running Cognito Detect 7.0.2.

I have got the Vectra part up and running but have problems with getting data to Splunk. From Splunk representative I was recommended to use SC4S instead of sending the syslog data directly to Splunk which runs on W2019 Server platform (cannot install syslog-ng). SC4S runs on a CentOS Stream8 Server in a Podman Container.

Now, for the Vectra specific part:
1) Should I use Cognito Stream to send syslog to SC4S and if yes in syslog or JSON (some documentation recommends this with Universal Forwarder for Splunk). JSON doesn’t seem to work as it is now. I have configured HEC forwarding from SC4S to Splunk as recommended by documentation.

2) Should I use Notifications=>Syslog to send syslog to SC4S and if yes in syslog or JSON?

3) Can I send directly to Splunk’s Vectra Stream App?

 

Both 1 and 2 seem to work for SC4S but there I bump into problems. Not sure what the problem is there. HEC forwarding from SC4S to Splunk is coming live as it should with correct setup and it forwards Vectra data (nothing else collected by SC4S) to Splunk or maybe it doesn't since I see in Splunk drop Events.

 

I have configured a filter for Vectra in /opt/sc4s/env_file : SC4S_LISTEN_VECTRA_NETWORKS_X_SERIES_TCP_PORT=9101 which should identify the data as Vectra originated but I’m not sure SC4S handles it correctly. Lack documentation on how to troubleshoot indexed data in SC4S plus how correctly configure the /opt/sc4s/env_file and any other files needed. Have configured all Indexes according the SC4S documentation.

 

In Splunk I can see incoming Events with action=drop

26/07/2023      - - syslog-ng 155 – [meta sequenceId=”16928”]http: handled by response_action; action=’drop’, url=’htps://x.x.x.x:8088/services/collector/event’, status_code=’400’, driver=’d_hec_fmxt#0’, location=’root generator dest_hec:5:5’

12:19:03:144    Host = abcdlog2 | source = sc4s | sourcetype = sc4s:events

26/07/2023      - - syslog-ng 155 – [meta sequenceId=”16929”]Message(s) dropped while sending message to destination; driver=’d_hec_fmt#0’, worker_index=7’, time_reopen=’10’, batch_size=’1’

12:19:03:144    Host = abcdlog2 | source = sc4s | sourcetype = sc4s:events

Any advice would be appreciated.

 

Timo Krjukoff

Labels (1)
Labels
0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Wondering How to Build Resiliency in the Cloud?

IT leaders are choosing Splunk Cloud as an ideal cloud transformation platform to drive business resilience,  ...

Updated Data Management and AWS GDI Inventory in Splunk Observability

We’re making some changes to Data Management and Infrastructure Inventory for AWS. The Data Management page, ...