Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

VectraAI syslog to Splunk via SC4S

tkrjukoff
New Member
‎07-26-2023 04:02 AM

I have taken over a project from 2 colleagues to install and integrate VectraAI and Splunk.

We have a Vectra X29 as Brain/Sensor running Cognito Detect 7.0.2.

I have got the Vectra part up and running but have problems with getting data to Splunk. From Splunk representative I was recommended to use SC4S instead of sending the syslog data directly to Splunk which runs on W2019 Server platform (cannot install syslog-ng). SC4S runs on a CentOS Stream8 Server in a Podman Container.

Now, for the Vectra specific part:
1) Should I use Cognito Stream to send syslog to SC4S and if yes in syslog or JSON (some documentation recommends this with Universal Forwarder for Splunk). JSON doesn’t seem to work as it is now. I have configured HEC forwarding from SC4S to Splunk as recommended by documentation.

2) Should I use Notifications=>Syslog to send syslog to SC4S and if yes in syslog or JSON?

3) Can I send directly to Splunk’s Vectra Stream App?

 

Both 1 and 2 seem to work for SC4S but there I bump into problems. Not sure what the problem is there. HEC forwarding from SC4S to Splunk is coming live as it should with correct setup and it forwards Vectra data (nothing else collected by SC4S) to Splunk or maybe it doesn't since I see in Splunk drop Events.

 

I have configured a filter for Vectra in /opt/sc4s/env_file : SC4S_LISTEN_VECTRA_NETWORKS_X_SERIES_TCP_PORT=9101 which should identify the data as Vectra originated but I’m not sure SC4S handles it correctly. Lack documentation on how to troubleshoot indexed data in SC4S plus how correctly configure the /opt/sc4s/env_file and any other files needed. Have configured all Indexes according the SC4S documentation.

 

In Splunk I can see incoming Events with action=drop

26/07/2023      - - syslog-ng 155 – [meta sequenceId=”16928”]http: handled by response_action; action=’drop’, url=’htps://x.x.x.x:8088/services/collector/event’, status_code=’400’, driver=’d_hec_fmxt#0’, location=’root generator dest_hec:5:5’

12:19:03:144    Host = abcdlog2 | source = sc4s | sourcetype = sc4s:events

26/07/2023      - - syslog-ng 155 – [meta sequenceId=”16929”]Message(s) dropped while sending message to destination; driver=’d_hec_fmt#0’, worker_index=7’, time_reopen=’10’, batch_size=’1’

12:19:03:144    Host = abcdlog2 | source = sc4s | sourcetype = sc4s:events

Any advice would be appreciated.

 

Timo Krjukoff

Labels (1)
Labels
0 Karma
Reply
Get Updates on the Splunk Community!

Changes to Splunk Instructor-Led Training Completion Criteria

We’re excited to share an update to our instructor-led training program that enhances the learning experience ...

Stay Connected: Your Guide to January Tech Talks, Office Hours, and Webinars!

❄️ Welcome the new year with our January lineup of Community Office Hours, Tech Talks, and Webinars! 🎉 ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...