Splunk Enterprise

Splunk SOAR not forwarding data to splunk

anya25
Explorer

I'm trying to use the Splunk App for SOAR to forward logs and events from SOAR to Splunk Enterprise.

The servers seem to be connected (test connectivity works) but the data (events, playbook runs etc.) isn't being indexed and doesn't appear in search in Splunk.

I tried reindexing the data through SOAR but it didn't work.

Adding audit input in the app is working fine, but data isn't being indexed in real time according to the supposed indexes (I did create them using the "Create Indexes" button in the app)

Did anyone experience anything similar or has any idea as to what might be the issue?

Labels (1)
0 Karma
1 Solution

marnall
Builder

OK that is good. Do you see any logs coming from your SOAR host in the internal index at index=_internal ?

 

If yes, then can you see any errors when you filter the source to splunkd.log? (for me it's source="/opt/phantom/splunkforwarder/var/log/splunk/splunkd.log")

 

If no, then can you SSH into the SOAR machine and then read that splunkd.log file looking for errors? Usually the file is located at /opt/phantom/splunkforwarder/var/log/splunk/splunkd.log

(depending on how big the logfile is, you could use "cat splunkd.log | grep ERROR")

View solution in original post

marnall
Builder

Did you set up your SOAR to forward logs?

Go to Administration->Administration Settings->Forwarder Settings->New Group

Then add your indexers, e.g.:

indexer1:9997

Check the boxes for which logs you would like to see.

Add an optional TCP token if it applies for your environment.

Then if you save this configuration, your SOAR should start sending logs to Splunk Enterprise.

 

Ref:

https://docs.splunk.com/Documentation/SOARApp/1.0.57/Install/ConnectremotesearchSOAR6.2

https://docs.splunk.com/Documentation/SOARonprem/latest/Admin/Forwarders

0 Karma

anya25
Explorer

Yes, I already set this up

0 Karma

marnall
Builder

OK that is good. Do you see any logs coming from your SOAR host in the internal index at index=_internal ?

 

If yes, then can you see any errors when you filter the source to splunkd.log? (for me it's source="/opt/phantom/splunkforwarder/var/log/splunk/splunkd.log")

 

If no, then can you SSH into the SOAR machine and then read that splunkd.log file looking for errors? Usually the file is located at /opt/phantom/splunkforwarder/var/log/splunk/splunkd.log

(depending on how big the logfile is, you could use "cat splunkd.log | grep ERROR")

anya25
Explorer

I don't see any events when filtering index=_internal and source=<path_to_splunkd.log> (with my path obviously)

but I do see errors when looking in the splunkd.log file in my SOAR machine - lots of "connection to host <indexer>:9997 failed", which is weird because 9997 is open on the splunk indexer, the machines are in the same segment and the "test connectivity" worked.

0 Karma

anya25
Explorer

Sorry, my mistake - the IP address in the errors in the log file belongs to antoher Splunk server that is turned off.

I don't see any errors with the correct IP.

0 Karma

marnall
Builder

Excellent, it sounds like it is working with the right IP

0 Karma
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...