Attempting to forward audittrail sourcetype data via syslog to our existing SIEM. I have a similar setup already working for non-internal index data, but for some reason, the config does not appear to be sending data. There is an metrics.log value that I use to see the data coming off Splunk to that output and there is nothing there. Also, nothing is showing up in the SIEM.
Here is my config:
props.conf
[audittrail]
TRANSFORMS-audittrail = send_to_syslog
transforms.conf
[send_to_syslog]
REGEX = .
DEST_KEY = _SYSLOG_ROUTING
FORMAT = siem_syslog_group
outputs.conf
[syslog:siem_syslog_group]
maxEventSize = 4096
server = servernamehere:514
↧