Deployment Architecture
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to configure Splunk to collect syslog and forward the raw data to a 3rd party SIEM directly from a clustered indexer?

scorpia
New Member
‎04-19-2016 09:22 AM

Hello

We have 2 Data Center locations and each location has 3 indexers that collect logs from Universal Forwarders in each location. All indexers from the 2 DC locations are replicated for redundancy and Disaster Recovery purposes.

My questions:
1. Is it possible to forward all raw logs from all indexers to a 3rd party SIEM directly without a Heavy Forwarder?
2. Do I need to change props.conf and transforms.conf for each indexers or at Cluster Master?

We have Splunk 6.2.3

Thanks in advance.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jensonthottian
Contributor
‎04-19-2016 10:10 AM

Your questions:
1. Is it possible to forward all raw logs from all indexers to a 3rd party SIEM directly without a Heavy Forwarder? - Yes it is possible .Because they are forwarding to a non-Splunk system, they can send only raw data.

e.g.
outputs.conf

[syslog:webreports_syslog_group]
server = myhostname:514
type = tcp

transforms.conf
[send_to_webreports]
REGEX = .
DEST_KEY = _SYSLOG_ROUTING
FORMAT = webreports_syslog_group

props.conf:

[source::/data/logs/httpd/somesite/access*]
TRANSFORMS-weblog-matrix = send_to_webreports

  1. Do I need to change props.conf and transforms.conf for each indexers or at Cluster Master? In each indexer for the sources you want to send.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

jensonthottian
Contributor
‎04-19-2016 10:10 AM

Your questions:
1. Is it possible to forward all raw logs from all indexers to a 3rd party SIEM directly without a Heavy Forwarder? - Yes it is possible .Because they are forwarding to a non-Splunk system, they can send only raw data.

e.g.
outputs.conf

[syslog:webreports_syslog_group]
server = myhostname:514
type = tcp

transforms.conf
[send_to_webreports]
REGEX = .
DEST_KEY = _SYSLOG_ROUTING
FORMAT = webreports_syslog_group

props.conf:

[source::/data/logs/httpd/somesite/access*]
TRANSFORMS-weblog-matrix = send_to_webreports

  1. Do I need to change props.conf and transforms.conf for each indexers or at Cluster Master? In each indexer for the sources you want to send.
0 Karma
Reply
Solved! Jump to solution

cleelakrishna
Loves-to-Learn
‎06-15-2017 06:37 AM

I'm unable forward specific INDIEX from HF to syslog . please check the configurations which I have used
props.conf
[index::watson]
TRANSFORMS-watson = wat_to_syslog

transforms.conf
[wat_to_syslog]
REGEX = .
DEST_KEY = _SYSLOG_ROUTING
FORMAT = wat_syslog_group

outputs.conf

[syslog:wat_syslog_group]
server = splunk-syslog.XXXX.com:514
type=udp

0 Karma
Reply
Get Updates on the Splunk Community!

Enhance Your Splunk App Development: New Tools & Support

UCC FrameworkAdd-on Builder has been around for quite some time. It helps build Splunk apps faster, but it ...

Prove Your Splunk Prowess at .conf25—No Prereqs Required!

Your Next Big Security Credential: No Prerequisites Needed We know you’ve got the skills, and now, earning the ...

Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code

This is the sixth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...