Syslog Reporting Splunk
  • 16 Oct 2020
  • 1 Minute To Read
  • Print
  • Share
  • Dark
    Light

Syslog Reporting Splunk

  • Print
  • Share
  • Dark
    Light

Setup for SIEM integration such as Splunk

SecureCircle will output detailed server and usage logs to any SIEM or Syslog aggregator. This document will give examples on how to setup SecureCircle with Splunk, however, these general steps can be applied to any SIEM.

Configuring Splunk Source Type

Note: See the table below the screen shots for SIEM settings.

First, create a new Source Type which will define the data properly. If the Source Type is not configured properly, users will not be able to parse and search data correctly.

  • Click Settings and select Source Types (under Data) from the top navigation bar.

splunk-source1.png

  • Select New Source Type from the right-hand menu. In the example below, the Source Type was given the name ‘syslog_json’

splunk-source2.png{height="" width=""}
splunk-source3.png

Settings

Ensure the SIEM settings are configured as described.

Description Syslog RFC3164 with JSON message body
maxDist 3
Lookahead 32
MAX_TIMESTAMP_LOOKAHEAD 32
Timestamp format %b %d %H:%M:%S
TIME_FORMAT %b %d %H:%M:%S
Extraction Advanced
Category Application
Time Zone Auto
Event Breaks Every Line
SHOULD_LINEMERGE False
Indexed Extractions None
SEDCMD-Stripheader s/^[^{]+//
REPORT-syslog Syslog-extractions
TRANSFORMS syslog-host
NO_BINARY_CHECK True
Pulldown_type true
Charset UTF-8
Timestamp
Timestamp prefix

Next, configure the Data input. Click on Settings > Data inputs.
source-data.png

Configure Splunk to listen on a specific port.

  • Select the Local Input Type (UDP or TCP). This assumes the SecureCircle server and Splunk server are local to each other on the network. Other options are available when data needs to be forwarded. Click New.
  • Configure the listen port and provide a name to reference the source (optional). Click Next.
  • Select the Source Type name which was created in the previous step. Set Host to IP. Set Index to default. Click Save.

SecureCircle should be sending data to SIEM and the data should be parsed similar to the example below. If the data is not parsed correctly, please confirm your Source Type configuration.
splunk-log.png

Configuring SecureCircle output

In the SecureCircle admin UI, go to the Integrations > SIEM menu on the left navigation bar. For new integrations, click Add Server.

  • Complete the configuration information including the hostname, port, and transport method. Click Add.
  • All logs from SecureCircle will be directed to the SIEM.

Modify the configuration at any time by selecting the Integration by clicking the appropriate checkbox and click Actions > Modify Server.

Was This Article Helpful?