Splunk Enterprise
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Forward Splunk audit log to external syslog server from Heavy forwarder

lukasmecir
Path Finder
‎10-14-2020 11:11 AM

Hi,

I would like to ask about his problem:

I have HF, from which I need forward its audit log ($SPLUNK_HOME/var/log/splunk/audit.log) to external syslog server. I made this config:

inputs.conf
[monitor://$SPLUNK_HOME/var/log/splunk/audit.log]
sourcetype = send_to_syslog

props.conf
[send_to_syslog]
TRANSFORMS-test_internal_logs_syslog = test_internal_logs_syslog

transforms.conf
[test_internal_logs_syslog]
REGEX = .
DEST_KEY = _SYSLOG_ROUTING
FORMAT = test_internal_logs_syslog

outputs.conf

[syslog]
defaultGroup = test_internal_logs_syslog


[syslog:test_internal_logs_syslog]
disabled = false
server = tpsmscs02:2601
type = tcp
priority = NO_PRI
maxEventSize = 16384

Problem is, that not only audit log is forwarded, but all incoming logs as well, which is not desired. So I removed "defaultGroup = test_internal_logs_syslog" from outputs.conf - and then neither audit log or anything else is forwarded, simply nothing.

AFAIK my config without defaultGroup = test_internal_logs_syslog should work... Could someone check it and tell me what I am doing wrong? Thanks in advance.

Best regards

Lukas

Labels (1)
Labels
Tags (4)
0 Karma
Reply

ClausBom
Explorer
‎11-30-2020 07:15 AM

Hi Lukas,

Did you get any closer to a solution for this? we seem to be facing the same problem 😖

Cheers

Claus

0 Karma
Reply

lukasmecir
Path Finder
‎11-30-2020 11:59 PM

Hi Claus,

we find out that Splunk handles audit log by some special way and there is no easy and reliable way how to send this log out of Splunk to some external collector. So final solution is: audit log is collected by rsyslog, installed on Splunk instance, and rsyslog then send this log to external collector (LogStash in this case). Hope it helps.

Regards

Lukas

Reply

ClausBom
Explorer
‎12-01-2020 12:05 AM

Hi Lukas,

Thanks, that just verifies the result I came to myself. I have a support ticket running on the issue, hope that it will shed some light on it for the future 🤞

Regards

Claus

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk at Cisco Live 2025: Learning, Innovation, and a Little Bit of Mr. Brightside

Pack your bags (and maybe your dancing shoes)—Cisco Live is heading to San Diego, June 8–12, 2025, and Splunk ...

Splunk App Dev Community Updates – What’s New and What’s Next

Welcome to your go-to roundup of everything happening in the Splunk App Dev Community! Whether you're building ...

The Latest Cisco Integrations With Splunk Platform!

Join us for an exciting tech talk where we’ll explore the latest integrations in Cisco + Splunk! We’ve ...