This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

How to get forwarded logs from Splunk to RSA Netwitness Collector

Deepakshukla
Beginner
Beginner

‎2018-06-22 04:41 PM

Hi,
Can anyone please help me with the approach and challenges to get the forwarded logs from Splunk to RSA Netwitness. Let's assume log sources are Checkpoint, Windows Server, DHCP server, Switches n Routers, Database, IPS/IDS..
Labels:
0 Likes
6 REPLIES 6

LisaTiernan
New Contributor
New Contributor

‎2018-06-22 04:50 PM

Hello Deepak, RSA University has a course on NetWitness and Splunk integration. Here is a link to the course description if you are interested:

RSA NetWitness Network and Splunk® Integration  

You could look at the description and see if it is what you are looking for. The course is based on NW 10.6. 

0 Likes

EricPartington
Employee
Employee

‎2018-06-22 09:06 PM

0 Likes

Deepakshukla
Beginner
Beginner
In response to LisaTiernan

‎2018-07-06 10:04 AM

Thanks Lisa.!!

Will go through once organization approve this.

0 Likes

Deepakshukla
Beginner
Beginner
In response to EricPartington

‎2018-07-06 10:23 AM

Thanks Eric for the document, however I already have it.

Have gone through with the document and have set of queries.

We are planning to forward the desired events preserving raw log from Splunk through Syslog UDP-514.

 

Didn't understand the exact limitation mentioned in page-15.

Step-2: Configure Splunk to point RSA.

Mentioned parameters are really not clear, would like to more in detail.

 

Use the integration.

This step describes how to view logs from Splunk to RSA.

 

Would like to more in-detail the challenges and changes which needs to be done at RSA NW end.

 

Would love to hear from you on this....

0 Likes

DaveGlover
Trusted Contributor Trusted Contributor
Trusted Contributor
In response to Deepakshukla

‎2018-07-08 08:51 PM

Deepak

 

Try the following on your indexer

 

----------------------------------------------------------------

# props.conf

 

[host::*]
TRANSFORMS-rsa = rsa_format_1, send_to_rsa
SEDCMD-newlines = s/[\n\r]+/ /g  # I do not know if this is still required.

 

# transforms.conf

 

[rsa_format_1]
SOURCE_KEY = MetaData:Host
REGEX = ^host::(.*)$
FORMAT = [][][$1][0000][] $0
DEST_KEY = _raw

 

[send_to_rsa]
REGEX = .
DEST_KEY = _TCP_ROUTING
FORMAT = rsa_syslog

 

# outputs.conf

 

[tcpout:rsa_syslog]
server = <ip>:514
sendCookedData=false

 

----------------------------------------------------------------------

 

keep in mind that parsing might be an issue for Windows and a few other devices.  

 

Dave

 

 

 

 

0 Likes

Deepakshukla
Beginner
Beginner
In response to DaveGlover

‎2018-08-05 12:33 PM

Thanks for your valuable inputs Dave.

But still it's not working. Getting below message in splunk GUI.

 

Tcpout Processor: The TCP output processor has paused the data flow. Forwarding to output group rsa_syslog has been blocked for 10 seconds. This will probably stall the data flow towards indexing and other network outputs. Review the receiving system's health in the Splunk Monitoring Console. It is probably not accepting data

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.