- Splunk Answers
- :
- Splunk Platform Products
- :
- Splunk Enterprise
- :
- Forward Splunk audit log to external syslog server...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Forward Splunk audit log to external syslog server from Heavy forwarder
Hi,
I would like to ask about his problem:
I have HF, from which I need forward its audit log ($SPLUNK_HOME/var/log/splunk/audit.log) to external syslog server. I made this config:
inputs.conf
[monitor://$SPLUNK_HOME/var/log/splunk/audit.log]
sourcetype = send_to_syslog
props.conf
[send_to_syslog]
TRANSFORMS-test_internal_logs_syslog = test_internal_logs_syslog
transforms.conf
[test_internal_logs_syslog]
REGEX = .
DEST_KEY = _SYSLOG_ROUTING
FORMAT = test_internal_logs_syslog
outputs.conf
[syslog]
defaultGroup = test_internal_logs_syslog
[syslog:test_internal_logs_syslog]
disabled = false
server = tpsmscs02:2601
type = tcp
priority = NO_PRI
maxEventSize = 16384
Problem is, that not only audit log is forwarded, but all incoming logs as well, which is not desired. So I removed "defaultGroup = test_internal_logs_syslog" from outputs.conf - and then neither audit log or anything else is forwarded, simply nothing.
AFAIK my config without defaultGroup = test_internal_logs_syslog should work... Could someone check it and tell me what I am doing wrong? Thanks in advance.
Best regards
Lukas
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Lukas,
Did you get any closer to a solution for this? we seem to be facing the same problem 😖
Cheers
Claus
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Claus,
we find out that Splunk handles audit log by some special way and there is no easy and reliable way how to send this log out of Splunk to some external collector. So final solution is: audit log is collected by rsyslog, installed on Splunk instance, and rsyslog then send this log to external collector (LogStash in this case). Hope it helps.
Regards
Lukas
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Lukas,
Thanks, that just verifies the result I came to myself. I have a support ticket running on the issue, hope that it will shed some light on it for the future 🤞
Regards
Claus
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
