Syslog Reporting Splunk
  • 30 Mar 2021
  • 2 Minutes to read
  • Dark
  • PDF

Syslog Reporting Splunk

  • Dark
  • PDF

Setting up Splunk as a Syslog SIEM Integration

The Process element has been updated in version 2.14 to include much more detail regarding the application). This change may impact reports and alerts. Please make the necessary updates.

Previously the Detail JSON would look something like below based on the event.

{"message":"{"fid":"{xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx}", "path":"/Users/peter/Downloads/system 2.log", "process":"applicaton_name_here"}"}

Starting in version 2.14, the Detail JSON looks something like below based on the event.

{"message":"{"fid":"{xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx}", "path":"\/Users\/username\/Pictures\/Backgrounds\/IMG_1900.JPG", "process":{"name":"dock","impname":"dock","ver":"2092.20.9","cert":{"status":"Trusted","certHash":"xxxxxxxxxxxxxxxxxxxxxxxxxxxx","signHash":"xxxxxxxxxxxxxxxxxxxxxxxxxxx","serial":"YYYYYYYYYYYYYYYY","desc":"Dock","prod":"Dock","inner":"","strong":"","original":"","executable":"file:\/\/\/System\/Library\/CoreServices\/\/Contents\/MacOS\/Dock","publisher":"Software Signing","signers":["Software Signing","Apple Code Signing Certification Authority","Apple Root CA"]}}}"}

SecureCircle will output detailed server and usage logs to any SIEM or Syslog aggregator. This document will give examples on how to setup SecureCircle with Splunk, however, these general steps can be applied to any SIEM.

Configuring Splunk Source Type

Note: See the table below the screen shots for SIEM settings.

First, create a new Source Type which will define the data properly. If the Source Type is not configured properly, users will not be able to parse and search data correctly.

  • Click Settings and select Source Types (under Data) from the top navigation bar.


  • Select New Source Type from the right-hand menu. In the example below, the Source Type was given the name ‘syslog_json’




Ensure the SIEM settings are configured as described.

Description Syslog RFC3164 with JSON message body
maxDist 3
Lookahead 32
Timestamp format %b %d %H:%M:%S
TIME_FORMAT %b %d %H:%M:%S
Extraction Advanced
Category Application
Time Zone Auto
Event Breaks Every Line
Indexed Extractions None
SEDCMD-Stripheader s/^[^{]+//
REPORT-syslog Syslog-extractions
TRANSFORMS syslog-host
Pulldown_type true
Charset UTF-8
Timestamp prefix

Next, configure the Data input. Click on Settings > Data inputs.

Configure Splunk to listen on a specific port.

  • Select the Local Input Type (UDP or TCP). This assumes the SecureCircle server and Splunk server are local to each other on the network. Other options are available when data needs to be forwarded. Click New.
  • Configure the listen port and provide a name to reference the source (optional). Click Next.
  • Select the Source Type name which was created in the previous step. Set Host to IP. Set Index to default. Click Save.

SecureCircle should be sending data to SIEM and the data should be parsed similar to the example below. If the data is not parsed correctly, please confirm your Source Type configuration.

Configuring SecureCircle output

In the SecureCircle admin UI, go to the Integrations > SIEM menu on the left navigation bar. For new integrations, click Add Server.

  • Complete the configuration information including the hostname, port, and transport method. Click Add.
  • All logs from SecureCircle will be directed to the SIEM.

Modify the configuration at any time by selecting the Integration by clicking the appropriate checkbox and click Actions > Modify Server.

Was this article helpful?