Splunk Connect for Syslog can be configured to utilize any destination available insyslog-ng OSE. The configuration system provides ease of use helpers to manage configurationfor the three most common destination needs, Splunk HEC, RFC5424 Syslog, and Legacy BSD Syslog.
In the getting started guide you configured the Splunk HEC “DEFAULT” destination to receive all traffic by default. The “DEFAULT” destination should be configured to accept all events to ensure that at least onedestination has the event to avoid data loss due to misconfiguration. The following example demonstrates configuration of a second HEC destination where only “selected” data will be sent.
Example 1 Send all events¶
#Note "OTHER" should be a meaningful nameSC4S_DEST_SPLUNK_HEC_OTHER_URL=https://splunk:8088SC4S_DEST_SPLUNK_HEC_OTHER_TOKEN=${SPLUNK_HEC_TOKEN}SC4S_DEST_SPLUNK_HEC_OTHER_TLS_VERIFY=noSC4S_DEST_SPLUNK_HEC_OTHER_MODE=GLOBAL
Example 2 Send only cisco IOS Events¶
#Note "OTHER" should be a meaningful nameSC4S_DEST_SPLUNK_HEC_OTHER_URL=https://splunk:8088SC4S_DEST_SPLUNK_HEC_OTHER_TOKEN=${SPLUNK_HEC_TOKEN}SC4S_DEST_SPLUNK_HEC_OTHER_TLS_VERIFY=noSC4S_DEST_SPLUNK_HEC_OTHER_MODE=SELECTSC4S_DEST_CISCO_IOS_ALTERNATES=d_fmt_hec_OTHER
Example 3 Send only cisco IOS events that are not debug¶
#Note "OTHER" should be a meaningful nameSC4S_DEST_SPLUNK_HEC_OTHER_URL=https://splunk:8088SC4S_DEST_SPLUNK_HEC_OTHER_TOKEN=${SPLUNK_HEC_TOKEN}SC4S_DEST_SPLUNK_HEC_OTHER_TLS_VERIFY=noSC4S_DEST_SPLUNK_HEC_OTHER_MODE=SELECT
#filename:application sc4s-lp-cisco_ios_dest_fmt_other{{ source }}[sc4s-lp-dest-select-d_fmt_hec_other] { filter { 'CISCO_IOS' eq "${fields.sc4s_vendor}_${fields.sc4s_product}" #Match any cisco event that is not like "%ACL-7-1234" and not message('^%[^\-]+-7-'); }; };
Example 4 Mcafee EPO send RFC5424 events without frames to third party system¶
Note in most cases when a destination requires syslog the requirement is referring tolegacy BSD syslog (RFC3194) not standard syslog RFC5424
The destination name is taken from the env var each destination must have a unique name regardless of type.This value should be short and meaningful.
#env_fileSC4S_DEST_SYSLOG_MYSYS_HOST=172.17.0.1SC4S_DEST_SYSLOG_MYSYS_PORT=514SC4S_DEST_SYSLOG_MYSYS_MODE=SELECT# set to #yes for ietf framesSC4S_DEST_SYSLOG_MYSYS_IETF=no
#filename: /opt/sc4s/local/config/app_parsers/selectors/sc4s-lp-mcafee_epo_d_syslog_msys.confapplication sc4s-lp-mcafee_epo_d_syslog_msys[sc4s-lp-dest-select-d_syslog_msys] { filter { 'mcafee' eq "${fields.sc4s_vendor}" and 'epo' eq "${fields.sc4s_product}" }; };
Example 5 Cisco ASA send to a third party SIEM¶
The destination name is taken from the env var each destination must have a unique name regardless of type.This value should be short and meaningful
In most cases when a third party system needs “syslog” the requirement is to send “legacy BSD” as followsThis is often refereed to as RFC3194
#env_fileSC4S_DEST_BSD_OLDSIEM_HOST=172.17.0.1SC4S_DEST_BSD_OLDSIEM_PORT=514SC4S_DEST_BSD_OLDSIEM_MODE=SELECT# set to #yes for ietf frames
#filename: /opt/sc4s/local/config/app_parsers/selectors/sc4s-lp-mcafee_epo_d_bsd_oldsiem.confapplication sc4s-lp-mcafee_epo_d_bsd_oldsiem[sc4s-lp-dest-select-d_bsd_oldsiem] { filter { 'mcafee' eq "${fields.sc4s_vendor}" and 'epo' eq "${fields.sc4s_product}" }; };
Example 6 Mcafee EPO send RFC5424 events without frames to third party system¶
The destination name is taken from the env var each destination must have a unique name regardless of type.This value should be short and meaningful
#env_fileSC4S_DEST_SYSLOG_MYSYS_HOST=172.17.0.1SC4S_DEST_SYSLOG_MYSYS_PORT=514SC4S_DEST_SYSLOG_MYSYS_MODE=SELECT# set to #yes for ietf framesSC4S_DEST_SYSLOG_MYSYS_IETF=no
#filename: /opt/sc4s/local/config/app_parsers/selectors/sc4s-lp-mcafee_epo_d_syslog_msys.confapplication sc4s-lp-mcafee_epo_d_syslog_msys[sc4s-lp-dest-select-d_syslog_msys] { filter { 'cisco' eq "${fields.sc4s_vendor}" and 'asa' eq "${fields.sc4s_product}" }; };
SC4S Supports the following destination configurations via configuration. Any custom destinationcan be supported (defined by syslog-ng OSE)
- Splunk HTTP Event Collector (HEC)
- RFC5424 format without frames i.e.
<166>1 2022-02-02T14:59:55.000+00:00 kinetic-charlie - - - - %FTD-6-430003: DeviceUUID:
- RFC5424 format with frames also known as RFC6587
123 <166>1 2022-02-02T14:59:55.000+00:00 kinetic-charlie - - - - %FTD-6-430003: DeviceUUID:
- RFC3164 (BSD format)
<134>Feb 2 13:43:05.000 horse-ammonia CheckPoint[26203]:
HEC Destination Configuration¶
Variable | Values | Description |
---|---|---|
SC4S_DEST_SPLUNK_HEC_<ID>_URL | url | URL(s) of the Splunk endpoint, can be a single URL space separated list |
SC4S_DEST_SPLUNK_HEC_<ID>_TOKEN | string | Splunk HTTP Event Collector Token |
SC4S_DEST_SPLUNK_HEC_<ID>_MODE | string | “GLOBAL” or “SELECT” |
SC4S_DEST_SPLUNK_HEC_DEFAULT_TLS_VERIFY | yes(default) or no | verify HTTP(s) certificate |
HTTP Compression¶
HTTP traffic compression helps to reduce network bandwidth usage. SC4S currently supports gzip for compressing transmitted traffic.\Using the ‘gzip’ compression algorithm can result in lower CPU load and increased utilization of RAM. The algorithm may also cause a decrease in performance. Tests observed a decrease in message processing speed by 6% to 7%.\Compression affects the content but does not affect the HTTP headers. Enable batch packet processing to make the solution particularly efficient, as this allows compression of a large number of logs at once.
Variable | Values | Description |
---|---|---|
SC4S_DEST_SPLUNK_HEC_<ID>_HTTP_COMPRESSION; | yes or no(default) | compress outgoing HTTP traffic using gzip method |
Syslog Standard destination.¶
Note: in many cases destinations incorrectly assert “syslog” support. IETF standards RFC5424, RFC5425, RFC6587 define the use of “syslog” as a network protocol. Often the actual configuration required is Legacy BSD syslog which is NOT a standard and was documented “historically” in RFC3164 see BSD Destination section.
Variable | Values | Description |
---|---|---|
SC4S_DEST_SYSLOG_<ID>_HOST | fqdn or ip | the FQDN or IP of the target |
SC4S_DEST_SYSLOG_<ID>_PORT | number | 601 (default when framed) 514 (default when not framed) |
SC4S_DEST_SYSLOG_<ID>_IETF | yes,no | default “yes” use IETF Standard frames |
SC4S_DEST_SYSLOG_<ID>_TRANSPORT | tcp,udp,tls | default tcp |
SC4S_DEST_SYSLOG_<ID>_MODE | string | “GLOBAL” or “SELECT” |
BSD legacy destination (Non standard)¶
Note: in many cases, destinations incorrectly assert “syslog” support. Internet Engineering Task Force standards RFC5424, RFC5425, and RFC6587 define the use of “syslog” as a network protocol. Often the actual configuration required is Legacy BSD syslog which is not a standard and was documented in RFC3164.
Variable | Values | Description |
---|---|---|
SC4S_DEST_BSD_<ID>_HOST | fqdn or ip | the FQDN or IP of the target |
SC4S_DEST_BSD_<ID>_PORT | number | default 514 |
SC4S_DEST_BSD_<ID>_TRANSPORT | tcp,udp,tls | default tcp |
SC4S_DEST_BSD_<ID>_MODE | string | “GLOBAL” or “SELECT” |
Configuration of Filtered Alternate Destinations (Advanced)¶
Though source-specific forms of the variables configured above will limit configured alternate destinations to a specific data source, thereare cases where even more granularity is desired within a specific data source (e.g. to send all Cisco ASA “debug” traffic to Cisco Prime foranalysis). This extra traffic may or may not be needed in Splunk. To accommodate this use case, Filtered Alternate Destinations allow afilter to be supplied to redirect a portion of a given source’s traffic to a list of alternate destinations (and, optionally, to preventmatching events from being sent to Splunk). Again, these are configured through environment variables similarto the ones above:
Variable | Values | Description |
---|---|---|
SC4S_DEST_<VENDOR_PRODUCT>_ALT_FILTER | syslog-ng filter | Filter to determine which events are sent to alternate destination(s) |
SC4S_DEST_<VENDOR_PRODUCT>_FILTERED_ALTERNATES | Comma or space-separated list of syslog-ng destinations | Send filtered events to alternate syslog-ng destinations using the VENDOR_PRODUCT syntax, e.g. SC4S_DEST_CISCO_ASA_FILTERED_ALTERNATES |
NOTE: This is an advanced capability, and filters and destinations using proper syslog-ng syntax must be constructed prior to utilizingthis feature.
NOTE: Unlike the standard alternate destinations configured above, the regular “mainline” destinations (including the primary HECdestination or configured archive destination (
d_hec
ord_archive
)) are not included for events matching the configured alternatedestination filter. If an event matches the filter, the list of filtered alternate destinations completely replaces any mainline destinationsincluding defaults and global or source-based standard alternate destinations. Be sure to include them in the filtered destination list ifdesired.HINT: Since the filtered alternate destinations completely replace the mainline destinations (including HEC to Splunk), a filter thatmatches all traffic can be used with a destination list that does not include the standard HEC destination to effectively turn off HECfor a given data source.