Hi folks,
I am seeking some assistance with the formatting of forwarded splunk data to a 3rd party collector, we have managed to get everything forwarding fine by configuring C:\Program Files\Splunk\etc\system\local\outputs.conf
[syslog]
defaultGroup=syslogGroup
maxEventSize = 65535
[syslog:syslogGroup]
server = IPAddress:514
type = tcp
The problem is that all (windows logs only) we get every field of a log as a separate event that multiplies traffic drastically. I read briefly about line breaking but not sure how to configure this and we only have a live environment and wouldn’t want to make any changes that could potentially break our existing Splunk instance as it’s used heavily by all our I.T departments.
Any advice would be appreciated.
Cheers!
Hi @michaelking,
I think the issue is on the receiver side since we are using this setup to forward windows security events to Cyberark PTA without a problem. You should check options on Exabeam receiver.
I also recommend using UDP syslog output, because if the receiver side does not listen or receive events fast enough your Splunk indexing process may blocked.
Thanks@scelikok
I will get the exabeam people to take another look, they indicated it was an issue with the splunk side as they done the same setup with some of our other sites.
I tried UDP initially but it would only work for 10minutes then start erroring, when I switched to TCP it seemed more stable.
Cheers
Sorry I forgot to mention, the collector is a Linux based system using an installation of Exabeam to collect the data.
Cheers