Installation
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Forwarding splunk'd logs to third party siem - McAfee ESM

MattQ
Explorer
‎07-23-2013 03:36 PM

I am told it is very simple to take already indexed events from splunk and send them over to a 3rd party SIEM appliance like McAfee ESM.

Has anyone done this successfully? How hard was it to implement? Can you limit / forward only selected events? Can you limit forwarding to only select hosts or log types?

I have seen a few other similar questions and it seems INCREDIBLY simple, to the point of adding only a few lines of code to a few files. Is it really that easy?

Reply
1 Solution
Solved! Jump to solution
Solution

jtrucks
Splunk Employee
Splunk Employee
‎07-24-2013 09:21 PM

Use the REST or other API or the CLI to perform a search (scheduled or even real-time) and have the results sent to whatever API or file the other tool uses.

It's relatively simple, really, and you can do this with any search you want so you can send selective results to your other tool.

--
Jesse Trucks
Minister of Magic

View solution in original post

Reply
Solved! Jump to solution
Solution

jtrucks
Splunk Employee
Splunk Employee
‎07-24-2013 09:21 PM

Use the REST or other API or the CLI to perform a search (scheduled or even real-time) and have the results sent to whatever API or file the other tool uses.

It's relatively simple, really, and you can do this with any search you want so you can send selective results to your other tool.

--
Jesse Trucks
Minister of Magic
Reply
Solved! Jump to solution

kupawar
New Member
‎05-17-2017 05:15 AM

please refer any link or document.

0 Karma
Reply
Solved! Jump to solution

sdaniels
Splunk Employee
Splunk Employee
‎07-25-2013 06:12 AM

You could also use a heavy forwarder and forward the data to McAfee via syslog at the same time as it sends it to your Splunk indexer. Of course this is before the data is indexed. This will also give you the flexibility to send a subset of the data. See the docs below:

http://docs.splunk.com/Documentation/Splunk/5.0.3/Deploy/Forwarddatatothird-partysystemsd

Reply
Solved! Jump to solution

mariogiovannitt
New Member
‎12-01-2015 07:02 AM

I configured the outputs.conf in my etc/local dir to forward AD logs from an indexer to a 3rd part SIEM . restarted, and still no joy. any ideas.

0 Karma
Reply
Solved! Jump to solution

dshpritz
SplunkTrust
SplunkTrust
‎07-25-2013 05:54 AM

You may also want to look at the Real-Time output app:

http://splunk-base.splunk.com/apps/48082/splunk-real-time-output

Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

🍂 Fall into November with a fresh lineup of Community Office Hours, Tech Talks, and Webinars we’ve ...

Transform your security operations with Splunk Enterprise Security

Hi Splunk Community, Splunk Platform has set a great foundation for your security operations. With the ...

Splunk Admins and App Developers | Earn a $35 gift card!

Splunk, in collaboration with ESG (Enterprise Strategy Group) by TechTarget, is excited to announce a ...