Getting Data In

How to send Windows events to a third-party server using Splunk Universal Forwarder?

raduand
Explorer

Hello,

I'm trying to send windows events using an Universal Forwarder to a 3rd party system.

I configured outputs.conf as shown below:

[tcpout]
defaultGroup = primary_indexers

[tcpout:primary_indexers]
server = indexer1:9997,indexer2:9997, etc
autoLB = true
compressed = true

[tcpout:exernal]
server=10.10.10.10:514
sendCookedData=false

The forwarder has an inputs.conf which looks for WinEvent:Security. The events are reaching the splunk indexers successfully...but not the 3rd party server. The 3rd party server is only receiving splunk internal events, which tells me that the outputs.conf stanza is correct and i have connectivity between the 2 machines.

Is there anything specific i need to configure in order to forward the windows events to the 3rd party server as well? I only need to send the raw events, no other parsing/transformation is needed. Any suggestion would be highly appreciated.

Thanks!

0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi raduand,
as described at http://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Forwarddatatothird-partysystemsd , you should try to delete (or comment) the first stanza in outputs.conf

[tcpout]
defaultGroup = primary_indexers

Bye.
Giuseppe

View solution in original post

gcusello
SplunkTrust
SplunkTrust

Hi raduand,
as described at http://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Forwarddatatothird-partysystemsd , you should try to delete (or comment) the first stanza in outputs.conf

[tcpout]
defaultGroup = primary_indexers

Bye.
Giuseppe

raduand
Explorer

Thanks! Now it's sending something but the windows events are multi-line and i'd like to receive the full event in a single line on the 3rd party destination. Is that possible?

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi raduand,
I don't think that it's possible because you're sending uncooked data, you should parse data in the destination system to aggregate rows in a single log, or use cooked data and parse them in the destination system.
Bye.
Giuseppe

0 Karma

raduand
Explorer

Cool, then i believe i need to use an intermediate Heavy Forwarder to parse the logs then forward them to the 3rd party destination.

Thanks a lot and best regards,
Andrei

0 Karma

Log_wrangler
Builder

I am having the same problem, did you get this to work??? Thanks

0 Karma

vonsolo29
Explorer

We are trying to do something similar but we want the UF to send the same data to both our indexer group and the third party system. Is this possible? we configured the _TCP_ROUTING property to use both tcpout stanzas for indexer-gorup and secops-server but the data in the secops-server is not correct. It looks as though its just internal splunk logs/metrics from the UF and not windows event logs.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi vonsolo29,
did you inserted the option sendCookedData=false in the outputs.conf's external stanza?
in addition, you have to modify also the other inputs.conf, probably you're sending also the Splunk internal logs.
Bye.
Giuseppe

0 Karma

vonsolo29
Explorer

this is what i have in the outputs

[tcpout]
defaultGroup = indexer-group

[tcpout:indexer-group]
server = SPLUNKINDEXERSERVER:9997,SPLUNKINDEXERSERVER:9997,SPLUNKINDEXERSERVER:9997

[tcpout:thirdpartytest-system]
server = THIRDPARYSERVER:5114
sendCookedData = false

this is what the inputs shows:

[WinEventLog://Security]
disabled = 0
index = wineventlog
_TCP_ROUTING = indexer-group,thirdpartytest-system

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...