• How to connect OSS files to splunk? Any PAX available from HP, plea

    From Aditya Pratomo@21:1/5 to All on Mon Nov 30 23:58:33 2020
    i don't get it, I try to add your parameter in LAFARC file, and I tried to run LAF, it was showing this ....

    Selection? 1
    Enter the SIEM device IP address <xxx.xxx.xxx.xxx>? 10.X.XX.1XX
    Enter TCP/IP process name <$ZB018>? $ZB018
    Pinging 10.X.XX.1XX using $ZB018 ...
    Routine error in LAF <<
    RUN $SYSTEM.SYSTEM.PING /OUTV
    ^
    Expecting an existing variable
    (Its type must be MACRO ROUTINE TEXT DELTA ALIAS or DIRECTORY)
    Routine Trace:
    [#IF NOT (
    [ping^test]

    please advice,
    thank you.,

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Aditya Pratomo@21:1/5 to Lesan on Tue Dec 1 19:53:39 2020
    On Tuesday, November 10, 2020 at 10:57:38 PM UTC+7, Rob Lesan wrote:
    On Monday, November 9, 2020 at 3:23:24 AM UTC-5, Aditya Pratomo wrote:
    On Monday, August 6, 2018 at 9:31:00 PM UTC+7, Rob Lesan wrote:
    On Sunday, August 5, 2018 at 11:46:43 PM UTC-4, prabinku...@gmail.com wrote:
    On Friday, August 3, 2018 at 11:09:03 AM UTC+5:30, prabinku...@gmail.com wrote:
    How to connect OSS files to splunk? Any PAX available from HP, please suggest.

    Basically, thru SPLUNK I wanted to monitor our application log, the application log is present in Guardian environment. Currently the logs are present in SQL tables for only 5 mins before it goes to next system. And SQL table gets wiped off in
    every 5 mins.
    what I am thinking, if I could tweak my application program, to log data into OSS file additionally, and somehow SPLUNK can monitor the OSS file, that will server my purpose.
    (In OSS, I can create new files depending size of the files filled from log data, that I can control).
    Have you looked at using XYGATE Merged Audit for this? It can accept a lot of different type of log data and can forward it to Splunk in syslog format with key/value pairs that you can configure.

    Ping me if you need more information on this (rob.lesan at xypro.com)
    can you help me how to connect XYGATE MA to Splunk? now my config is XYGATE MA to ArcSight,. XYGATE MA only have 2 filter, LAFARC dan LAFRSA, (LAFARC, (ArcSight Log Adapter Filters - Version 1.2), LAFRSA, (RSA enVision Log Adapter Filters - Version 1.
    18),. thank you for helping me
    You can use the LAFARC filters to send to Splunk. LAFARC formats the data in CEF (Common Event Format) that Splunk will accept.

    If you want to modify the payload, you can make a copy of the LAFARC file and use a #INCLUDE statement in your FILTERS file to include the additional formatting.

    Here is what the bottom of my FILTERS file looks like:

    ! Begin ArcSight Log Adapter Filters - Version 1.22
    #DEFINE ^ARC_STATUS ACTIVE
    #DEFINE_BEGIN ^ARC_ACTIONTYPE
    ACTIONTYPE SYSLOGQ
    IPALERT_MSGDELIMITER CR
    #DEFINE_END
    #DEFINE_BEGIN ^ARC_ROUTING
    IPALERT_ADDRESS 10.1.1.1
    IPALERT_PORT 27169
    IPALERT_IPPROCESS $ZTC0
    #DEFINE_END
    #INCLUDE $FOO.BAR.LAFARC
    ! End ARCSight Log Adapter Filters

    ! Begin Splunk Log Adapter Filters - Version 1.22
    #DEFINE ^SPLUNK_STATUS ACTIVE
    #DEFINE_BEGIN ^SPLUNK_ACTIONTYPE
    ACTIONTYPE SYSLOGQ
    IPALERT_MSGDELIMITER CR
    #DEFINE_END
    #DEFINE_BEGIN ^SPLUNK_ROUTING
    IPALERT_ADDRESS 10.1.1.2
    IPALERT_PORT 27110
    IPALERT_IPPROCESS $ZTC0
    #DEFINE_END
    #INCLUDE $FOO.BAR.LAFSPLNK
    ! End Splunk Log Adapter Filters

    just to make it clear. so I make a copy of LAFARC file and rename it with LAFSPLNK for example. Then, I add the statement to my FILTERS file with #INCLUDE statement. So, I don't have to run LAF file and add the siem splunk IP Adress? or I have to do that?
    How I execute the new FILTERS file?

    Thanks for helping me, because I am new guy for this

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)