Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Configuring a Log Source for Splunk Forwarded Events

 

To collect raw events that are forwarded from Splunk, you must configure a log source in JSA.

On your Splunk forwarder, you must set sendCookedData to false, so that the forwarder sends raw data to JSA.

  1. Log in to JSA.
  2. Click the Admin tab.
  3. In the navigation menu, click Data Sources.
  4. Click the Log Sources icon.
  5. Click Add.
  6. In the Log Source Name field, type a name for your log source.
  7. In the Log Source Description field, type a description for your log source.
  8. From the Log Source Type list, select Microsoft Windows Security Event Log.
  9. From the Protocol Configuration list, select TCP Multiline Syslog.
  10. Configure the following values:

    Table 1: Protocol Parameters for TCP Multiline Syslog

    Parameter

    Description

    Protocol Configuration

    TCP Multiline Syslog

    Log Source Identifier

    Type the IP address or host name for the log source as an identifier for events from your Splunk appliance.

    The log source identifier must be unique value.

    Listen Port

    Type the port number that is used by JSA to accept incoming TCP multi-line syslog events from Splunk.

    The default listen port is 12468.

    Note: Do not use listen port 514.

    The port number that you configure on JSA must match the port number that is configured on the Splunk Forwarder. Every listen port in JSA accepts up to 50 inbound Forwarder connections.

    If more Forwarder connections are necessary, create multiple Splunk Forwarder log sources on different ports. The connection limit refers to the number of forwarder connections and not the number of log sources that are coming in from each Forwarder connection.

    Event Formatter

    From the list, select Windows Multiline.

    The event formatter ensures that the format of the TCP multiline event matches the event pattern for the event type you selected.

    Aggregation Method

    The default is Start/End Matching. If you want to combine multiline events that are joined by a common identifier, use ID-Linked.

    Event Start Pattern

    Type the following regular expression (regex) to identify the start of your Splunk windows event:

    (?:<(\d+)>\s?(\w{3} \d{2} \d{2}:\d{2}:\d{2}) (\S+) )?(\d{2}/\d{2}/\d{4} \d{2}:\d{2}:\d{2} [AP]M)

    This parameter is available when you set the Aggregation Method parameter to Start/End Matching.

    The regular expression (regex) that is required to identify the start of a TCP multiline event payload. Syslog headers typically begin with a date or time stamp. The protocol can create a single-line event that is based on solely on an event start pattern, such as a time stamp. When only a start pattern is available, the protocol captures all the information between each start value to create a valid event.

    Event End Pattern

    This parameter is available when you set the Aggregation Method parameter to Start/End Matching.

    This regular expression (regex) that is required to identify the end of a TCP multiline event payload. If the syslog event ends with the same value, you can use a regular expression to determine the end of an event. The protocol can capture events that are based on solely on an event end pattern. When only an end pattern is available, the protocol captures all the information between each end value to create a valid event.

    Message ID Pattern

    This parameter is available when you set the Aggregation Method parameter to ID-Linked.

    This regular expression (regex) that is required to filter the event payload messages. The TCP multiline event messages must contain a common identifying value that repeats on each line of the event message.

    Event Formatter

    Use the Windows Multiline option for multiline events that are formatted specifically for Windows.

    Show Advanced Options

    The default is No. If you want to customize the event data, select Yes.

    Use Custom Source Name

    This parameter is available when you set Show Advanced Options to Yes.

    Select the check box if you want to customize the source name with regex.

    Source Name Regex

    This parameter is available when you check Use Custom Source Name.

    The regular expression (regex) that captures one or more values from event payloads that are handled by this protocol. These values are used along with the Source Name Formatting String parameter to set a source or origin value for each event. This source value is used to route the event to a log source with a matching Log Source Identifier value.

    Source Name Formatting String

    This parameter is available when you check Use Custom Source Name.

    You can use a combination of one or more of the following inputs to form a source value for event payloads that are processed by this protocol:

    • One or more capture groups from the Source Name Regex. To refer to a capture group, use \x notation where x is the index of a capture group from the Source Name Regex.

    • The IP address where the event data originated from. To refer to the packet IP, use the token $PIP$.

    • Literal text characters. The entire Source Name Formatting String can be user-provided text. For example, if the Source Name Regex is ’hostname=(.*?)’ and you want to appendhostname.com When this option is not selected and Use Custom Source Name is not checked, incoming events are tagged with a source name that corresponds to the Log Source Identifier parameter.to the capture group 1 value, set the Source Name Formatting String to \1.hostname.com. If an event is processed that contains hostname=ibm, then the event payload's source value is set to ibm.hostname.com, and JSA routes the event to a log source with that Log Source Identifier.

    Use as a Gateway Log Source

    This parameter is available when you set Show Advanced Options to Yes.

    When selected, events that flow through the log source can be routed to other log sources, based on the source name tagged on the events.

    When this option is not selected and Use Custom Source Name is not checked, incoming events are tagged with a source name that corresponds to the Log Source Identifier parameter.

    Flatten Multiline Events into Single Line

    This parameter is available when you set Show Advanced Options to Yes.

    Shows an event in one single line or multiple lines.

    Retain Entire Lines during Event Aggregation

    This parameter is available when you set Show Advanced Options to Yes.

    If you set the Aggregation Method parameter to ID-Linked, you can enable Retain Entire Lines during Event Aggregation to either discard or keep the part of the events that comes before Message ID Pattern when events are concatenated with the same ID pattern together.

  11. Click Save.
  12. On the Admin tab, click Deploy Changes.
  13. If you have 50 or more Windows sources, you must repeat this process to create another log source.

    Events that are provided by the Splunk Forwarder to JSA are displayed on the Log Activity tab.