Getting Data In

What is best process of sending logs from Splunk to syslogng server ?

Communicator

Hi,
We are planning to forward Windows events logs from Splunk to RSA.
https://answers.splunk.com/answers/581066/how-splunk-can-send-data-to-third-party-system-spe.html

We already did the three approaches mentioned above and they were not working. We are trying to send data from Splunk to syslogng server and from there -- RSA collects data?

Is there any process of sending logs from Splunk to syslogng server?

Any help, please?

Splunk Employee
Splunk Employee

You can take a look at this app and its documentation to see if that would help you meet your needs. It's a search-based approach to forward data via SYSLOG specifically built for 3rd-party SIEM integrations.

That aside: If you followed the documentation here and it didn't work for you, can you explain what issue you were experiencing? Maybe we can collectively get you on the right track.

Communicator

Hi SSievert ,

We are now seeing traffic leave our Indexers when monitoring the interface via tcpdump . However RSA is not able to parse the data, even though the field mappings appear correct and in line with CEF standards template.

We suspect this may be because there is no priority value at the beginning of these events (which RSA needs apparently

From what I can see, the Splunk app for CEF configures the output.conf to use tcpout as the processor (instead of syslog). Could you confirm if this is correct and if so, would it be possible to change this to syslog?

Would really appreciate any help and support you can provide in this matter@ssievert

Thanks.

0 Karma

Splunk Employee
Splunk Employee

Can you share the outputs.conf?
Do you have a section that looks like this:
[syslog:myRSAservers]
type=tcp
priority=nn
etc.
as documented here?

0 Karma

Communicator

I believe app only build to send data tcp routing @ssievert .Also please find below outputs.conf
[tcpout:RSA_Netwitness]
Server =ip:port
blockONClonning= 5
sendCookedData=false

0 Karma