Solved: forward logs from HF to third-party using syslog

KhalidAlharthi · ‎06-09-2024

i have used this approach to forward logs from specific index to third-party system in my case Qradar

so i need to do the same forwarding specific index using syslog not TCP cuz it's takes time ( i did tcpdump to figure that)

this approach i follow

# props.conf

[default]
TRANSFORMS-send_foo_to_remote_siem

# transforms.conf

[send_foo_to_remote_siem]
REGEX = foo
SOURCE_KEY = _MetaData:Index
DEST_KEY = _TCP_ROUTING
FORMAT = remote_siem

# outputs.conf

[tcpout:remote_siem]
server = remotesiem:1234
sendCookedData = false

thanks

gcusello · ‎06-09-2024

Hi @KhalidAlharthi ,

in props.conf, you have to use only the sourcetype of the logs to send to syslog.

If they are more than one, put more stanzas in props.

# props.conf

[TMAO_sourcetype]
TRANSFORMS-send_foo_to_remote_siem = send_foo_to_remote_siem

# transforms.conf

[send_foo_to_remote_siem]
REGEX = .
DEST_KEY = _TCP_ROUTING
FORMAT = remote_siem

# outputs.conf

[tcpout:remote_siem]
server = remotesiem:1234
sendCookedData = false

AS I said, check the exact sourcetype name: I recently solved an issue near your, where the error was the sourcetype exact name.

Ciao.

Giuseppe

View solution in original post

gcusello · ‎06-09-2024

Hi @KhalidAlharthi ,

does it run your solution?

I found an error: the transformation is missed in the props.conf.

I'm not sure that you can put the TRANSFORMS in Default stanza and I don't like to use a regex on index field, I'd use a different approach:

# props.conf

[your_sourcetype]
TRANSFORMS-send_foo_to_remote_siem = send_foo_to_remote_siem

# transforms.conf

[send_foo_to_remote_siem]
REGEX = .
DEST_KEY = _TCP_ROUTING
FORMAT = remote_siem

# outputs.conf

[tcpout:remote_siem]
server = remotesiem:1234
sendCookedData = false

then put attention to the sourcetype: you must be sure that you are using, in the props.conf, the original sourcetype and not a transformed (by the add-on) one.

Ciao.

Giuseppe

KhalidAlharthi · ‎06-09-2024

by this you are sending all the event to remote siem

i need to send just TMAO trend micro

soo what the best approach to do this using syslog ...

gcusello · ‎06-09-2024

Hi @KhalidAlharthi ,

in props.conf, you have to use only the sourcetype of the logs to send to syslog.

If they are more than one, put more stanzas in props.

# props.conf

[TMAO_sourcetype]
TRANSFORMS-send_foo_to_remote_siem = send_foo_to_remote_siem

# transforms.conf

[send_foo_to_remote_siem]
REGEX = .
DEST_KEY = _TCP_ROUTING
FORMAT = remote_siem

# outputs.conf

[tcpout:remote_siem]
server = remotesiem:1234
sendCookedData = false

AS I said, check the exact sourcetype name: I recently solved an issue near your, where the error was the sourcetype exact name.

Ciao.

Giuseppe

KhalidAlharthi · ‎06-09-2024

Thanks @gcusello

is it possible to define it like what you did

[TMAO_sourcetype]

and if yes sourcetype of data source right?

gcusello · ‎06-09-2024

Hi @KhalidAlharthi ,

yes (I saw your other question!).

let me know if I can help you more, or, please, accept one answer for the other people of Community.

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉

KhalidAlharthi · ‎06-09-2024

yeah i picked your solution.

could you please check your DM

gcusello · ‎06-09-2024

Hi @KhalidAlharthi ,

what do you mean with "DM"?

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉

KhalidAlharthi · ‎06-09-2024

@gcusello I sent you private message .

forward logs from HF to third-party using syslog

heavy forwarder

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?