- Find Answers
- :
- Splunk Platform
- :
- Splunk Enterprise
- :
- Forward Splunk audit log to external syslog server...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Forward Splunk audit log to external syslog server from Heavy forwarder
Hi,
I would like to ask about his problem:
I have HF, from which I need forward its audit log ($SPLUNK_HOME/var/log/splunk/audit.log) to external syslog server. I made this config:
inputs.conf
[monitor://$SPLUNK_HOME/var/log/splunk/audit.log]
sourcetype = send_to_syslog
props.conf
[send_to_syslog]
TRANSFORMS-test_internal_logs_syslog = test_internal_logs_syslog
transforms.conf
[test_internal_logs_syslog]
REGEX = .
DEST_KEY = _SYSLOG_ROUTING
FORMAT = test_internal_logs_syslog
outputs.conf
[syslog]
defaultGroup = test_internal_logs_syslog
[syslog:test_internal_logs_syslog]
disabled = false
server = tpsmscs02:2601
type = tcp
priority = NO_PRI
maxEventSize = 16384
Problem is, that not only audit log is forwarded, but all incoming logs as well, which is not desired. So I removed "defaultGroup = test_internal_logs_syslog" from outputs.conf - and then neither audit log or anything else is forwarded, simply nothing.
AFAIK my config without defaultGroup = test_internal_logs_syslog should work... Could someone check it and tell me what I am doing wrong? Thanks in advance.
Best regards
Lukas
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Lukas,
Did you get any closer to a solution for this? we seem to be facing the same problem 😖
Cheers
Claus
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Claus,
we find out that Splunk handles audit log by some special way and there is no easy and reliable way how to send this log out of Splunk to some external collector. So final solution is: audit log is collected by rsyslog, installed on Splunk instance, and rsyslog then send this log to external collector (LogStash in this case). Hope it helps.
Regards
Lukas
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Lukas,
Thanks, that just verifies the result I came to myself. I have a support ticket running on the issue, hope that it will shed some light on it for the future 🤞
Regards
Claus
Enterprise Security Content Update (ESCU) | New Releases
Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?
Index This | What are the 12 Days of Splunk-mas?
