I have taken over a project from 2 colleagues to install and integrate VectraAI and Splunk.

We have a Vectra X29 as Brain/Sensor running Cognito Detect 7.0.2.

I have got the Vectra part up and running but have problems with getting data to Splunk. From Splunk representative I was recommended to use SC4S instead of sending the syslog data directly to Splunk which runs on W2019 Server platform (cannot install syslog-ng). SC4S runs on a CentOS Stream8 Server in a Podman Container.

Now, for the Vectra specific part:
1) Should I use Cognito Stream to send syslog to SC4S and if yes in syslog or JSON (some documentation recommends this with Universal Forwarder for Splunk). JSON doesn’t seem to work as it is now. I have configured HEC forwarding from SC4S to Splunk as recommended by documentation.

2) Should I use Notifications=>Syslog to send syslog to SC4S and if yes in syslog or JSON?

3) Can I send directly to Splunk’s Vectra Stream App?

Both 1 and 2 seem to work for SC4S but there I bump into problems. Not sure what the problem is there. HEC forwarding from SC4S to Splunk is coming live as it should with correct setup and it forwards Vectra data (nothing else collected by SC4S) to Splunk or maybe it doesn't since I see in Splunk drop Events.

I have configured a filter for Vectra in /opt/sc4s/env_file : SC4S_LISTEN_VECTRA_NETWORKS_X_SERIES_TCP_PORT=9101 which should identify the data as Vectra originated but I’m not sure SC4S handles it correctly. Lack documentation on how to troubleshoot indexed data in SC4S plus how correctly configure the /opt/sc4s/env_file and any other files needed. Have configured all Indexes according the SC4S documentation.

In Splunk I can see incoming Events with action=drop

26/07/2023      - - syslog-ng 155 – [meta sequenceId=”16928”]http: handled by response_action; action=’drop’, url=’htps://x.x.x.x:8088/services/collector/event’, status_code=’400’, driver=’d_hec_fmxt#0’, location=’root generator dest_hec:5:5’

12:19:03:144    Host = abcdlog2 | source = sc4s | sourcetype = sc4s:events

26/07/2023      - - syslog-ng 155 – [meta sequenceId=”16929”]Message(s) dropped while sending message to destination; driver=’d_hec_fmt#0’, worker_index=7’, time_reopen=’10’, batch_size=’1’

12:19:03:144    Host = abcdlog2 | source = sc4s | sourcetype = sc4s:events

Any advice would be appreciated.

Timo Krjukoff