locked
Has anyone setup Splunk forwarder thats working? RRS feed

  • Question

  • I still have not been able to set the splunk forwarder settings correct to forwards events to ATA

    I was hoping there would be someone out there who could provide examples of props.conf, transforms.conf and outputs.conf that would make this work. I have tried several different settings and looked through forums and opened a ticket with Splunk.

    But I would think someone out there would have a working setup, at least at Microsoft, and be willing to share some information.

    Saturday, September 19, 2015 4:47 PM

All replies

  • Currently I have

    props.conf

    [WinEventLog:Security]

    TRANSFORMS-ata = ataforwarder

    transforms.conf

    [ataforwarder]
    DEST_KEY = _SYSLOG_ROUTING
     FORMAT = microsoft_ata

    outputs.conf

    [syslog:microsoft_ata]
     server = 10.10.10.1:514
     type = udp
    sendCookedData=false

    It took a few tries to get it so it would index AND forward events, but I am getting the same errors as others on the forums and have yet to see someone with a solution.

    Saturday, September 19, 2015 4:51 PM
  • Hi Adam,

    We've piggybacked onto this thread:

    https://social.technet.microsoft.com/Forums/en-US/9dffc04f-1300-4612-a264-4cb703f3cbba/receiving-syslog-from-splunk-failed-to-parse-time-generated?forum=mata

    Take a look, as it might help out. The main thing was having the Splunk forwarder on the DC pull in logs via WMI in additional to the native event log collection. I'm having my indexers drop all of the WMI logs except the 4776 events, which are then syslogged to ATA. We are now getting the correct key-value fields, but have a new error on the ATA side to deal with.

    Here are my Splunk conf files for reference:

    --wmi.conf on Windows forwarder--

    [WMI:LocalSecurity]
    index = winevent_ata
    disabled = 0
    current_only = 1

    --props.conf on Splunk indexer--

    [WMI:WinEventLog:Security]
    TRANSFORMS-routing = win_wmi_ata, win_wmi_null, win_wmi_index

    --transforms.conf on Splunk indexer--

    [win_wmi_null]
    REGEX = .
    DEST_KEY = queue
    FORMAT = nullQueue

    [win_wmi_index]
    REGEX = EventCode=4776
    DEST_KEY = queue
    FORMAT = indexQueue

    [win_wmi_ata]
    REGEX = EventCode=4776
    DEST_KEY = _SYSLOG_ROUTING
    FORMAT = ms_ata_dev

    --outputs.conf on Splunk indexer--

    [syslog:ms_ata_dev]
    server = <ata_server_fqdn>:514
    type = udp
    Wednesday, October 28, 2015 2:32 PM
  • This configuration was never fully implemented. We are once again looking for guidance.
    Tuesday, January 16, 2018 8:03 PM