I am trying to get logs from Splunk to Logstash. I first tried straight up syslog output from Splunk heavy forwarders to logstash, but that wrote each Windows Event Viewer line to a separate syslog event. I don't want to deal with trying to recombine multiple syslog events into a single Windows event. If anyone has done that, let me know.
Perhaps a better option is to query the Splunk REST API, so I have been trying that. Please tell me there is a prebuilt or community built parser for this data input type. The output looks like this:
{
"preview": false,
"init_offset": 0,
"messages": [],
"fields": [
{
"name": "Analysis_symbol"
},
{
"name": "Cab_Id"
},
{
"name": "ComputerName"
},
{
"name": "EventCode"
},
{
"name": "EventType"
},
{
"name": "Event_Name"
},
{
"name": "Got_the_following_information_from_this_event"
},
{
"name": "Hashed_bucket"
},
{
"name": "Keywords"
},
{
"name": "LogName"
},
{
"name": "Message"
},
{
"name": "OpCode"
},
{
"name": "P1"
},
{
"name": "P10"
},
{
"name": "P2"
},
{
"name": "P3"
},
{
"name": "P4"
},
{
"name": "P5"
},
{
"name": "P6"
},
{
"name": "P7"
},
{
"name": "P8"
},
{
"name": "P9"
},
{
"name": "Rechecking_for_solution"
},
{
"name": "RecordNumber"
},
{
"name": "Report_Id"
},
{
"name": "Report_Status"
},
{
"name": "Response"
},
{
"name": "Sid"
},
{
"name": "SidType"
},
{
"name": "SourceName"
},
{
"name": "TaskCategory"
},
{
"name": "Type"
},
{
"name": "User"
},
{
"name": "_bkt"
},
{
"name": "_cd"
},
{
"name": "_eventtype_color"
},
{
"name": "_indextime"
},
{
"name": "_pre_msg"
},
{
"name": "_raw"
},
{
"name": "_serial"
},
{
"name": "_si"
},
{
"name": "_sourcetype"
},
{
"name": "_time"
},
{
"name": "date_hour"
},
{
"name": "date_mday"
},
{
"name": "date_minute"
},
{
"name": "date_month"
},
{
"name": "date_second"
},
{
"name": "date_wday"
},
{
"name": "date_year"
},
{
"name": "date_zone"
},
{
"name": "eventtype"
},
{
"name": "host"
},
{
"name": "index"
},
{
"name": "linecount"
},
{
"name": "punct"
},
{
"name": "source"
},
{
"name": "sourcetype"
},
{
"name": "splunk_server"
},
{
"name": "splunk_server_group"
},
{
"name": "timeendpos"
},
{
"name": "timestartpos"
}
],
"results": [
{
"ComputerName": "SVR-WEB-V01.test.local",
"EventCode": "1033",
"EventType": "4",
"Keywords": "Classic",
"LogName": "Application",
"Message": "Windows Installer installed the product. Product Name: Splunk Enterprise. Product Version: 8.0.4.1. Product Language: 1033. Manufacturer: Splunk, Inc.. Installation success or error status: 0.",
"OpCode": "Info",
"RecordNumber": "13539",
"Sid": "S-1-5-21-2930188092-2083453072-227432495-1113",
"SidType": "0",
"SourceName": "MsiInstaller",
"TaskCategory": "None",
"Type": "Information",
"User": "NOT_TRANSLATED",
"_bkt": "main~1~95603916-0138-4018-BD00-D4D64F548131",
"_cd": "1:26780",
"_indextime": "1594066592",
"_pre_msg": "07/06/2020 04:15:09 PM\nLogName=Application\nSourceName=MsiInstaller\nEventCode=1033\nEventType=4\nType=Information\nComputerName=SVR-WEB-V01.test.local\nUser=NOT_TRANSLATED\nSid=S-1-5-21-2930188092-2083453072-227432495-1113\nSidType=0\nTaskCategory=None\nOpCode=Info\nRecordNumber=13539\nKeywords=Classic",
"_raw": "07/06/2020 04:15:09 PM\nLogName=Application\nSourceName=MsiInstaller\nEventCode=1033\nEventType=4\nType=Information\nComputerName=SVR-WEB-V01.test.local\nUser=NOT_TRANSLATED\nSid=S-1-5-21-2930188092-2083453072-227432495-1113\nSidType=0\nTaskCategory=None\nOpCode=Info\nRecordNumber=13539\nKeywords=Classic\nMessage=Windows Installer installed the product. Product Name: Splunk Enterprise. Product Version: 8.0.4.1. Product Language: 1033. Manufacturer: Splunk, Inc.. Installation success or error status: 0.",
"_serial": "0",
"_si": [
"SVR-WEB-V01",
"main"
],
"_sourcetype": "WinEventLog:Application",
"_time": "2020-07-06T16:15:09.000-04:00",
"date_hour": "16",
"date_mday": "6",
"date_minute": "15",
"date_month": "july",
"date_second": "9",
"date_wday": "monday",
"date_year": "2020",
"date_zone": "local",
"host": "SVR-WEB-V01",
"index": "main",
"linecount": "15",
"punct": "//_::_======--..==-------======____.__:__.__:_....",
"source": "WinEventLog:Application",
"sourcetype": "WinEventLog:Application",
"splunk_server": "SVR-WEB-V01",
"timeendpos": "23",
"timestartpos": "0"
}
],
"highlighted": {}
}
Has anyone pulled/pushed logs from Splunk to Logstash? If so, can you detail how you did it?