Splunk Search

How to forward indexed data to RSA NetWitness?

Bakerton
New Member

So I will start with the details of my setup. I am running a single server instance on a network of ~300 endpoints. All of my systems are forwarding to a total of 4 indexes currently. I am using Splunk (currently 7.2.6) strictly for audit collection and review.

We have a requirement to send our audit data to our client for their collection requirements as this system is here to support our business with them. They are using RSA's NetWitness and want the data converted to syslog format over UDP.

I have seen a few write-ups on this out there but I feel like they do not fit my situation close enough to trust them. So how do I send the data in the 4 relevant indexes to them in syslog format from my Splunk Enterprise server? Also, how do I set a limit on how much and how fast this forwarding would take place? I don't want to kill bandwidth just so they can warehouse data I am already storing.

Thanks!

0 Karma
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Think Like an Architect: Introducing the Splunk Certified Cybersecurity Defense ...

In cybersecurity, defenders respond to threats. Architects design the systems that stop them.    As ...

Best Practices: Splunk auto adjust pipeline queue

When you enable autoAdjustQueue in Splunk, maxSize should be understood as the queue size Splunk starts with ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...