|
The integrating Splunk with Arcsight document, states it is possible to feed Splunk with data coming straight from a Connector. Do you have any idea how this is possible? The ArcSight website is not as full of infos as Splunk's... And, yes, I know this might not be the right community, but it's the one I happen to trust. Paolo |
|
If you meant how to configure the arcsight agent to send the data out to splunk , let me know and I'll send you instructions on how to ... Hi, thanks for the reply. Yes, I meant how to configure the Connectors.
(16 Nov '11, 03:38)
Paolo Prigione
Hi gooza. So, it is possible to configure an Arcsight Connector to send data to a 3rd party receiver in CEF over Syslog format. Thank you very much
(16 Nov '11, 04:03)
Paolo Prigione
Yes , I sent you the instructions how,
(16 Nov '11, 04:08)
gooza
Just wondering: is it possible to forward CEF data to splunk from Logger itself to Splunk? This would limit the effort on the connectors as, I'm told, you need quite a number of them even for small environments
(06 Dec '11, 03:19)
Paolo Prigione
|
|
I highly recommend using CEF (Common Event Format) Extraction Utilities on Splunkbase it parse the arcsight cef format quit easily as for time stamps extractions I recommend adding the following in the relevent stanza in porps.conf: TIME_PREFIX = \s(end|rt)\= TIME_FORMAT = %10S%3n MAX_TIMESTAMP_LOOKHEAD = 350 |
|
I'm a total noob, and trying to figured out how to configure the cef extraction utils app (CEF (Common Event Format) Extraction Utilities on Splunkbase) but cannot understand how to work it out Can you help out in understanding what does it mean to do the following: "Add REPORT-cefvenets = cefHeaders,cefKeys to relevant stanzas in order for this add-on to parse the events" what file should i edit? and secondly, can i apply the app on content that is loaded to splunk via the oneshot rest api? add to your props.conf file under the relevent stanza the row: you can read more on props.conf at
(29 Mar '12, 05:36)
gooza
|
|
Some updates to this thread The CEF app needs to be updated with some small corrections. It will work with any Splunk version 4.1 or later. Those corrections are listed below. props.conf and transforms.com will work nicely exactly as they are below. All of these are minor improvements and corrections on the advice above. The default way to send data from an Arcsight Connector with be to a port. The default Arcsight Connector port is 8443 This is what is should look like. [cefevents] MAX_TIMESTAMP_LOOKAHEAD = 350 NO_BINARY_CHECK = 1 SHOULD_LINEMERGE = false TIME_PREFIX = s(end|rt)= pulldown_type = 1 REPORT-cefevents = cefHeaders cefKeys transforms.conf [cefHeaders] REGEX = CEF:(?<cef_cefversion>d+)|(?<cef_vendor>[^|])|(?<cef_product>[^|])|(?<cef_version>[^|])|(?<cef_signature>[^|])|(?<cef_name>[^|])|(?<cef_severity>[^|]) [cefKeys] REGEX = (?:_+)?(?<_KEY_1>[w.:,[]]+)=(?<_VAL_1>.*?(?=(?:s[w.:,[]]+=|$||))) REPEAT_MATCH = True CLEAN_KEYS = 1 |
|
Please ignore the REGEXES above, the editor screws them up. We will get the proper examples posted in CEF (Common Event Format) Extraction Utilities App |
|
Hi, I would appreciate if you can send me the ArcSight connector to SPLUNK configuration instruction. Also what is a good architecture for an MSSP environment, Sending data from connector to SPLUNK or sending data from Logger to SPLUNK? |
