...
Navigate to the Splunk installation root folder:
%Splunk_Installation_Path%\etc\system\local\outputs.conf. All the configuration changes must to be performed on the file in the local folder.Edit the
outputs.conffile and do one of the configuration steps: [ If you do not have existing syslog configuration, add the following configuration under syslog. ]Code Block [syslog] defaultGroup = AccentureMxDR [syslog:AccentureMxDR] server = CyberHub_IP_Address:Port_Number type = tcp maxEventSize = 16384 sendCookedData = false priority = NO_PRI syslogSourceType = XmlWinEventLog ==================================== ------- Notes ----------- ==================================== Server: Add CyberHub IP address and Port number Type: Default is udp for Splunk, but MDR recommends TCP. MaxEventSize: MDR recommended value. All events exceeding this size will be truncated.
Edit the
props.conffile and add the below routing attribute at the bottom.Code Block [source::WinEventLog:*] TRANSFORMS-WinEventLog=AccentureMxDRStanza - This can be any name.
Save and close the file.
Navigate to the Splunk installation root folder
%Splunk_Installation_Path%\etc\system\local\transforms.conf. All the configuration changes must be performed on the file in the local folder.Edit the
transforms.conffile and add the below stanza at the bottom.Edit
$SPLUNK_HOME/etc/system/local/transforms.confand set rules to match yourprops.confstanza (i.e. AccentureMxDRStanza):Code Block [AccentureMxDRStanza] # This is stanza name which is defined in props.conf. REGEX=. DEST_KEY=_TCP_ROUTING FORMAT=AccentureMxDR #This is group name which defined in outputs.conf file
Restart the Splunk service.
Note: All these file attributes are case-sensitive and has to be used as mentioned.
...