IBM QRadar

Hello,

Does someone have a working deployment with Splunk forwarding Logs to QRadar?
With or without the Splunk App...
I would like to know how to make it work.

Thank You in advance!

Regards,

------------------------------
Artur Gazda
------------------------------

So what are your issues with it?

Sent from mobileTenzij hierboven anders aangegeven: / Unless stated otherwise above:
IBM Nederland B.V.
Gevestigd te Amsterdam
Inschrijving Handelsregister Amsterdam Nr. 33054214


Original Message------

Hello,

Does someone have a working deployment with Splunk forwarding Logs to QRadar?
With or without the Splunk App...
I would like to know how to make it work.

Thank You in advance!

Regards,

------------------------------
Artur Gazda
------------------------------

We installed the App, added a Splunk Heavy Forwarder and configured it through the App to forward logs, but the Log Source for the incoming events remains unknown.
The App documentation ends with how to forward the logs to QRadar but it doesn't say anything about the Log Source Configuration on QRadar.
As I understood, the Logs should appear as if they were sent from the original device.
Therefore I would like to know if I need to configure the Log Sources manually and if yes, how?
Like, do I need to follow this instruction, even for non-Windows events:
https://www.ibm.com/support/knowledgecenter/en/SS42VS_DSM/t_DSM_guide_Splunk_logsource.html ?
Or should I configure a Syslog Redirect Log Source?
If yes, I don't see any point in using the Splunk Forwarding App except for configuring Splunk, which we would prefer to do manually anyway.

Also, in another test scenario, the Splunk Indexer did not receive any logs anymore because the forwarder forwarded them only to QRadar.
Is there a way to forward them to both the Indexer and QRadar?

Is it possible to forward the Logs from the Indexer?

Thank you.

Best Regards,


------------------------------
Artur Gazda
------------------------------

Original Message:
Sent: 02-13-2019 11:01 AM
From: Nico de Smidt
Subject: Splunk Integration

So what are your issues with it?

Sent from mobileTenzij hierboven anders aangegeven: / Unless stated otherwise above:
IBM Nederland B.V.
Gevestigd te Amsterdam
Inschrijving Handelsregister Amsterdam Nr. 33054214


Original Message------

Hello,

Does someone have a working deployment with Splunk forwarding Logs to QRadar?
With or without the Splunk App...
I would like to know how to make it work.

Thank You in advance!

Regards,

------------------------------
Artur Gazda
------------------------------

Splunk best practices recommend to use Heavy Forwarder to forward logs into third party , you can configure a heavy forwarder to route data conditionally to third-party systems, in the same way that it routes data conditionally to other Splunk By editing outputs.conf,

https://docs.splunk.com/Documentation/Forwarder/8.0.3/Forwarder/Configureforwardingwithoutputs.conf 

if you are sending all the data you just need to edit the outputs.com  Example :

------------------------------

[tcpout]

[tcpout:fastlane]
server = x.y.z.m :[port number]

-------------------------

------------------------------
Zaid AbuAlrish
------------------------------

Original Message:
Sent: Wed February 13, 2019 11:42 AM
From: Artur Gazda
Subject: Splunk Integration

We installed the App, added a Splunk Heavy Forwarder and configured it through the App to forward logs, but the Log Source for the incoming events remains unknown.
The App documentation ends with how to forward the logs to QRadar but it doesn't say anything about the Log Source Configuration on QRadar.
As I understood, the Logs should appear as if they were sent from the original device.
Therefore I would like to know if I need to configure the Log Sources manually and if yes, how?
Like, do I need to follow this instruction, even for non-Windows events:
https://www.ibm.com/support/knowledgecenter/en/SS42VS_DSM/t_DSM_guide_Splunk_logsource.html ?
Or should I configure a Syslog Redirect Log Source?
If yes, I don't see any point in using the Splunk Forwarding App except for configuring Splunk, which we would prefer to do manually anyway.

Also, in another test scenario, the Splunk Indexer did not receive any logs anymore because the forwarder forwarded them only to QRadar.
Is there a way to forward them to both the Indexer and QRadar?

Is it possible to forward the Logs from the Indexer?

Thank you.

Best Regards,


------------------------------
Artur Gazda

Original Message:
Sent: 02-13-2019 11:01 AM
From: Nico de Smidt
Subject: Splunk Integration

So what are your issues with it?

Sent from mobileTenzij hierboven anders aangegeven: / Unless stated otherwise above:
IBM Nederland B.V.
Gevestigd te Amsterdam
Inschrijving Handelsregister Amsterdam Nr. 33054214


Original Message------

Hello,

Does someone have a working deployment with Splunk forwarding Logs to QRadar?
With or without the Splunk App...
I would like to know how to make it work.

Thank You in advance!

Regards,

------------------------------
Artur Gazda
------------------------------

Hi Artur.

So, the Splunk app itself merely configures the forwarding operation on the Splunk Universal or Heavy Forwarder side - this forwarding could also be configured on the Splunk side without the Splunk app by a Splunk administrator as well.  It relies on autodetection for the incoming stream of data over port 514 for parsing, unless a manually created log source is in place.  The logs should appear as they would have been received by Splunk.  The one exception to this is that for Windows events, the Splunk app has an option to automatically create a TCP Multiline Windows DSM log source to parse that specific format of data.

Does this help?

Jeff

------------------------------
JEFF RUSK
------------------------------

Original Message:
Sent: Wed February 13, 2019 11:42 AM
From: Artur Gazda
Subject: Splunk Integration

We installed the App, added a Splunk Heavy Forwarder and configured it through the App to forward logs, but the Log Source for the incoming events remains unknown.
The App documentation ends with how to forward the logs to QRadar but it doesn't say anything about the Log Source Configuration on QRadar.
As I understood, the Logs should appear as if they were sent from the original device.
Therefore I would like to know if I need to configure the Log Sources manually and if yes, how?
Like, do I need to follow this instruction, even for non-Windows events:
https://www.ibm.com/support/knowledgecenter/en/SS42VS_DSM/t_DSM_guide_Splunk_logsource.html ?
Or should I configure a Syslog Redirect Log Source?
If yes, I don't see any point in using the Splunk Forwarding App except for configuring Splunk, which we would prefer to do manually anyway.

Also, in another test scenario, the Splunk Indexer did not receive any logs anymore because the forwarder forwarded them only to QRadar.
Is there a way to forward them to both the Indexer and QRadar?

Is it possible to forward the Logs from the Indexer?

Thank you.

Best Regards,


------------------------------
Artur Gazda

Original Message:
Sent: 02-13-2019 11:01 AM
From: Nico de Smidt
Subject: Splunk Integration

So what are your issues with it?

Sent from mobileTenzij hierboven anders aangegeven: / Unless stated otherwise above:
IBM Nederland B.V.
Gevestigd te Amsterdam
Inschrijving Handelsregister Amsterdam Nr. 33054214


Original Message------

Hello,

Does someone have a working deployment with Splunk forwarding Logs to QRadar?
With or without the Splunk App...
I would like to know how to make it work.

Thank You in advance!

Regards,

------------------------------
Artur Gazda
------------------------------