Security

Can you forward data from a Splunk Enterprise instance to both Splunk Cloud and a syslog server?

asmyth1995
Explorer

Hi

I setup a Splunk Enterprise instance on a windows vm to collect active directory logs. I wanted to forward these logs to both Splunk Cloud and a syslog server. I set up a universal forwarder on the vm and I installed the credentials on both the Splunk enterprise instance and the universal forwarder.  I also made the changes to the output.conf file to send data from the 514 port. I see the events coming into Splunk Cloud but there doesn't seem to be events leaving the 514 port. I also noticed that Splunk Enterprise instance isn't receiving any events after setting this up, is that meant to happen? Do I need more than one universal forwarder to forward the logs in multiple places?

Labels (1)
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @asmyth1995 ,

let me understand: you installed on the same vm a Splunk Enterprise instance and a Universal Forwarder, isi t correct?

If you did this, it's not correct:

you can use a Splunk instance as an Heavy Forwarder to collect AD logs and send them both to Splunk Cloud and a third party syslog server.

You can find docs about send syslogs to a third party at https://docs.splunk.com/Documentation/SplunkCloud/latest/Forwarding/Routeandfilterdatad#Replicate_a_... .

Ciao.

Giuseppe

0 Karma

asmyth1995
Explorer

Hi Giuseppe

Thanks for responding back, for clarification the instructions mentioned two ip addresses

  • Splunk Enterprise indexer (10.1.12.1:9997)
  • third-party machine (10.1.12.2:1234)

For this to work do I need to set up my Splunk Enterprise indexer and third party machine before setting this up?

0 Karma

isoutamo
SplunkTrust
SplunkTrust

Hi

definitely you must have syslog receiver (and also your Splunk indexer) working on before you do this. If there isn't any service to receive those events then those are queued to tcpout queue and when it's full then this node don't send events to any receivers before all queues are flushed!

r. Ismo

0 Karma

asmyth1995
Explorer

Hi

Just to confirm is the Splunk indexer the same as the Splunk Enterprise instance that is setup collecting active directory logs? Also is there a syslog receiver that you would recommend for anyone on a Splunk Cloud trial?

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @asmyth1995 ,

probably there's a misunderstanding or I didn't understand your architecture:

  • you have Splunk Cloud.
  • you have a third party syslog receiver in a different server,
  • what's the Splunk Enterprise instance?
  • what's it's role? is it an Heavy Forwarder?

if you need an instance to extract AD logs and forward them both to Splunk Cloud and third party syslog, you don't need to have also a Universal Forwarder in the same VM but only a Full Splunk Instance configured as an Heavy Forwarder.

If you're speaking of the UFs on the Domain Controllers that send logs to the Heavy Forwarder ok, they are configured to send their logs to the HF.

Then the HF send logs both to the destinations (Splunk Cloud and syslog).

Ciao.

Giuseppe

0 Karma

isoutamo
SplunkTrust
SplunkTrust

Yes it like that

  • Splunk Indexer <=> Splunk Enterprise instance

If you haven't any syslog server on your hand, then one option is Splunk Connect for Syslog. Basically in trial phase you could use almost any syslog server to with correct configurations to send those events to directly to splunk cloud or 1st collect those to disk and then use UF to send those to SC.

I just wondering why you want to route those via syslog server instead of sending those directly to SC?

0 Karma

asmyth1995
Explorer

Thanks for responding back. How do I find the IP address for both the Splunk Enterprise Instance, I noticed the ip address is present in the URL bar of the browser but it is 127.0.0.1. i just wanted to confirm if that is the correct way to find the ip address?

Also how do I do the same for the syslog server after setting it up?

One more thing, say if I didn't decide to use a heavy forwarder and instead wanted to use a universal forwarder, how do I find the ip address for the universal forwarder since it doesn't have a UI like Splunk Enterprise which I think is meant to act as a Heavy Forwarder.

0 Karma

isoutamo
SplunkTrust
SplunkTrust

127.0.0.1 is localhost which cannot use from outside of that host. Basically you must know the external IP address or FQDN (full qualified domain name) for those hosts where you have installed those components. 

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @asmyth1995 ,

you spoke that you have Splunk Cloud, this means that you have to use the app downloaded by Splubnk Cloud.

then, in this app or in a different app (better!), you have to add the stanzas for syslog routing in outputs.conf and add the props.conf and transforms.conf that you can find in the above link.

Obviously you Splunk Cloud must be ready to receive logs and also the syslog receiver otherwise you cannot check the configuration.

See in Community there are many answers on this item.

I found many issues in syslog configuration but I described a solution at https://community.splunk.com/t5/Getting-Data-In/send-a-subset-of-logs-via-syslog-to-a-Third-Party-an... .

Ciao.

Giuseppe

0 Karma

asmyth1995
Explorer

Hi Giuseppe

I don't remember using an app when I signed up on the Splunk Cloud Trial. I usually accessed Splunk Cloud on my browser. I did download a universal forwarder which I can see in a folder on my machine and the credentials at the start of the trial.

Also in the documentation it did mention those conf files but they were not present in etc/system/local/ folder. I remembered reading on a post that the conf files have to be written and then SplunkForwarder restarted.

I did something similar in the Splunk Enterprise folder where I wrote the conf files and restarted Splunk Enterprise in server controls but it gave an error on the UI where it said the forwarder stopped working. I think it is because I didn't put in the right IP address for the Splunk Enterprise indexer and I didn't have the syslog receiver setup properly.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @asmyth1995 ,

you have to download the Add-On from your Splunk Cloud instance in your pc (Download folder).

then you have to install this add-on by GUI and restart Splunk.

In this way your HF is connected to ,Splunk Cloud and you can see its logs in SC.

For syslogs, you have to follow the instructions at the above link to add the additional configurations.

Ciao.

Giuseppe

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...