# Collect data from Splunk {% hint style="info" %} See the changelog of the **Syslog** Listener type [here](https://app.gitbook.com/s/1OZWDcmMPrhfCtF1rMJP/syslog-listener). {% endhint %} ## Splunk Setup The usual scenario for adapting Splunk data for sending via [the Syslog Listener ](https://docs.onum.com/the-workspace/listeners/listener-integrations/collect-data-using-syslog)involves using a **Splunk Heavy Forwarder (HF),** configuring three specific configuration files: `outputs.conf`, `props.conf`, and `transforms.conf`. The HF is necessary because Universal Forwarders (UFs) lack the processing capabilities to format and route data to a third-party system using **the Syslog protocol**. [See here for more information on types of Splunk forwarders.](https://help.splunk.com/en/splunk-enterprise/forward-and-process-data/forwarding-and-receiving-data/10.0/introduction-to-forwarding/types-of-forwarders) You will need to create or edit these files, typically located in `$SPLUNK_HOME/etc/system/local/` or a custom app directory on your Heavy Forwarder. #### 1. Define the Syslog Destination The `outputs.conf` file tells the **Heavy Forwarder** where to send the data. You must define a Syslog output group (`[syslog:]`) rather than a standard TCP output group. | **Configuration** | **Example Value** | **Description** | | ----------------- | ---------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------- | | Syslog Group | `[syslog]` | Defines the default syslog output settings. | | Default Group | `defaultGroup = onum_syslog_group` | Specifies the default target group for all unrouted data. If you only want to send a *subset* of logs, do not set a `defaultGroup` here. | | Target Stanza | `[syslog:onum_syslog_group]` | Defines the specific ONUM destination. | | Server | `server = 10.1.1.200:514` | `server = [\|]:` The IP address and port (default is UDP 514) of the ONUM Syslog receiver. | | Data Format | `sendCookedData = false` | CRITICAL. This ensures Splunk sends the raw, unprocessed log data (not Splunk's internal 'cooked' format). | | Protocol | `type = udp` (or `tcp`) | Specifies the transport protocol. Syslog traditionally uses UDP, but TCP is often preferred for reliability. | ``` # $SPLUNK_HOME/etc/system/local/outputs.conf [syslog] defaultGroup = onum_syslog_group [syslog:onum_syslog_group] server = 10.1.1.200:514 sendCookedData = false type = udp ``` #### 2. Selective Routing (Recommended) To avoid sending *all* data from the Heavy Forwarder to Onum, you typically use `props.conf` and `transforms.conf` to filter and route only the desired events (e.g., logs from a specific sourcetype or index). {% hint style="info" %} Please note that the form may look different if you are using this Listener in a cloud environment. For more information on this, see the main article on [Collecting data using Syslog](https://docs.onum.com/the-workspace/listeners/listener-integrations/collect-data-using-syslog). The steps will be the same, just make sure to enter the Onum URL in the Splunk configuration. {% endhint %} ## Onum Setup {% stepper %} {% step %} Log in to your Onum tenant and click **Listeners > New listener**. {% endstep %} {% step %} Double-click the **Syslog** Listener. {% endstep %} {% step %} Enter a **Name** for the new Listener. Optionally, add a **Description** and some **Tags** to identify the Listener. {% endstep %} {% step %} Enter the required **Port** and **Protocol** (**TCP** or **UDP**). For cloud-based Onum installations, the **Socket** and **Protocol** sections are not visible (**port** `443` and **Protocol** `TCP` are used by default). If you see it, enter the required port in the **Port** field. {% hint style="warning" %} Note that by default, available TCP ports are 1024 to 10000. {% endhint %} While UDP 514 is the standard, some implementations may use TCP 514 or other ports, depending on specific configurations or security requirements. To determine the syslog port value, check the configuration settings of your syslog server or consult the documentation for your specific device or application. {% endstep %} {% step %} Choose the required **Framing Method**, which refers to how characters are handled in log messages sent via the Syslog protocol. Choose between: * **Auto-Detect** - automatically detect the framing method using the information provided. * **Non-Transparent Framing (newline)** - the **newline characters** `(\n)` within a log message are **preserved as part of the message content** and are not treated as delimiters or boundaries between separate messages. * **Non-Transparent Framing (zero)** - refers to the way **zero-byte** characters are handled. Any **null byte** (`\0`) characters that appear within the message body are **preserved as part of the message and** are not treated as delimiters or boundaries between separate messages. * **Non-Transparent Framing (custom)** - choose this option if you need to use vendor-specific or custom approaches to frame syslog messages rather than the standard framing methods. You must enter the specific character(s) that will mark the end of each syslog message in the **Custom trailer characters parameter** that appears. * **Octet Counting (message length)** - the Syslog message is preceded by a count of the length of the message in octets (bytes). {% endstep %} {% step %} In cloud-based Onum installations, the **TLS** configuration section is not visible. In these setups, Onum automatically manages **TLS** certificates, eliminating the need for manual configuration. If you see this section, you must enter the required **Certificate**, **Private key** and **CA Chain.** Learn how to generate these self-signed certificates in [this article](https://docs.onum.com/usecases/routing/crowdstrike-integration/self-signed-ssl-tls-certificates-creation). Once you have them, click **New secret** in each field and add the corresponding values. **Now there are two possible scenarios:** If you didn't enter your **TLS** certificates, when you click **Create listener** you'll see the **Network configuration** screen, which shows the **Address** and **Port** needed to communicate with Onum. Here you will download the certificate (see the[ steps after creation to do this](#download-certificate)). {% hint style="info" %} You can access all this information in the Listener details after creation, so don't worry. {% endhint %} If you entered the TLS certificates, you'll go directly to the Labels when you eventually click **create Listener**. {% endstep %} {% step %} The TLS credentials are saved in Onum as Secrets. In the TLS form, click **New secret** to create a new one: * Give the secret a **Name**. * Turn off the **Expiration date** option. * Click **Add new value.** * Click **Save**.
{% hint style="info" %} Learn more about secrets in Onum in [this article](https://docs.onum.com/administration/global-settings/organization-settings/secrets-management). {% endhint %} You can now select the secret you just created in the corresponding fields. {% endstep %} {% step %} Finally, click **Create labels**. Optionally, you can set labels to be used for internal Onum routing of data. By default, data will be set as **Unlabeled**. Click **Create listener** when you're done. {% hint style="info" %} Learn more about labels in [this article](https://docs.onum.com/the-workspace/listeners/labels). {% endhint %} {% endstep %} {% endstepper %} Click **Create listener** when you're done.