WebsiteBlogLogin

Collect data from Splunk

See the changelog of the Syslog Listener type here.

Splunk Setup

The usual scenario for adapting Splunk data for sending via the Syslog Listener involves using a Splunk Heavy Forwarder (HF), configuring three specific configuration files: outputs.conf, props.conf, and transforms.conf.

The HF is necessary because Universal Forwarders (UFs) lack the processing capabilities to format and route data to a third-party system using the Syslog protocol.

See here for more information on types of Splunk forwarders.

You will need to create or edit these files, typically located in $SPLUNK_HOME/etc/system/local/ or a custom app directory on your Heavy Forwarder.

1. Define the Syslog Destination

The outputs.conf file tells the Heavy Forwarder where to send the data. You must define a Syslog output group ([syslog:<target_group>]) rather than a standard TCP output group.

Configuration

Example Value

Description

Syslog Group

[syslog]

Defines the default syslog output settings.

Default Group

defaultGroup = onum_syslog_group

Specifies the default target group for all unrouted data. If you only want to send a subset of logs, do not set a defaultGroup here.

Target Stanza

[syslog:onum_syslog_group]

Defines the specific ONUM destination.

Server

server = 10.1.1.200:514

server = [<onum_siem_ip>|<onum_siem_host>]:<port> The IP address and port (default is UDP 514) of the ONUM Syslog receiver.

Data Format

sendCookedData = false

CRITICAL. This ensures Splunk sends the raw, unprocessed log data (not Splunk's internal 'cooked' format).

Protocol

type = udp (or tcp)

Specifies the transport protocol. Syslog traditionally uses UDP, but TCP is often preferred for reliability.

# $SPLUNK_HOME/etc/system/local/outputs.conf

[syslog]
defaultGroup = onum_syslog_group 

[syslog:onum_syslog_group]
server = 10.1.1.200:514
sendCookedData = false
type = udp

2. Selective Routing (Recommended)

To avoid sending all data from the Heavy Forwarder to Onum, you typically use props.conf and transforms.conf to filter and route only the desired events (e.g., logs from a specific sourcetype or index).

Onum Setup

1

Log in to your Onum tenant and click Listeners > New listener.

2

Double-click the Syslog Listener.

3

Enter a Name for the new Listener. Optionally, add a Description and some Tags to identify the Listener.

4

Enter the required Port and Protocol (TCP or UDP).

Note that you won't see the Port and Protocol settings in the creation form if you're defining this Listener in a Cloud instance, as these are already provided by Onum.

While UDP 514 is the standard, some implementations may use TCP 514 or other ports, depending on specific configurations or security requirements. To determine the syslog port value, check the configuration settings of your syslog server or consult the documentation for your specific device or application.

5

Choose the required Framing Method, which refers to how characters are handled in log messages sent via the Syslog protocol. Choose between:

  • Auto-Detect - automatically detect the framing method using the information provided.

  • Non-Transparent Framing (newline) - the newline characters (\n) within a log message are preserved as part of the message content and are not treated as delimiters or boundaries between separate messages.

  • Non-Transparent Framing (zero) - refers to the way zero-byte characters are handled. Any null byte (\0) characters that appear within the message body are preserved as part of the message and are not treated as delimiters or boundaries between separate messages.

  • Octet Counting (message length) - the Syslog message is preceded by a count of the length of the message in octets (bytes).

6

If you're using TLS authentication, enter the data you received from the Onum team in the TLS configuration section (Certificate, Private key and CA chain). Choose your Client authentication method and Minimum TLS version.

  • Note that the parameters in this section are only mandatory if you decide to include TLS authentication in this Listener. Otherwise, leave it blank.

  • Note that you won't see this section in the creation form if you're defining this Listener in a Cloud instance, as these are already provided by Onum. Learn more about Cloud Listeners in this article.

7

If you're using TLS authentication, contact Onum to get the cert information needed for TLS communication.

The TLS credentials are saved in Onum as Secrets. In the TLS form, click New secret to create a new one:

  • Give the secret a Name.

  • Turn off the Expiration date option.

  • Click Add new value.

  • Click Save.

Learn more about secrets in Onum in this article.

You can now select the secret you just created in the corresponding fields.

8

Finally, click Create labels. Optionally, you can set labels to be used for internal Onum routing of data. By default, data will be set as Unlabeled. Click Create listener when you're done.

Learn more about labels in this article.

Click Create listener when you're done.

PreviousCollect data from Palo Alto NGFWNextCollect data using TCP

Last updated

Was this helpful?