Forwarding data from Splunk heavy forwarders to QRadar

After you add Splunk instances to the app, you need to configure the app to forward the raw data from Splunk heavy forwarders to QRadar®.

Before you begin

Understand how data forwarding and heavy forwarders work. For more information, see Universal and heavy forwarders.

Procedure

  1. On the Splunk Instances tab, expand a Splunk instance to see the list of available data source types. To narrow the list of Splunk instances to choose from, search for instances based on location, description, or source types.
    Defining source types is optional for Splunk instances, so when data sources don't belong to a source type, they are listed in 'Not defined' in the list. The source type appears as a link in the list and displays the related data sources.
  2. Investigate the data sources of each Splunk instance to help determine which sources you want to forward to QRadar.
  3. To forward data sources that are heavy forwarders, select them individually or select Forward to QRadar.
    The following conditions apply for heavy forwarders:
    • You can select individual data source types or click Select All. The Select All option does not select the "Not defined" source type. You must analyze the "Not defined" source types in a separate window and then select which ones to forward to QRadar.
    • Within each source type or source name, you can select individual source names or click Select All.
    • You can click Clear before you click Add. After you add a source type to the forwarding list, you can't clear it from selection. To clear source types and data sources from the forwarding list, click Forward and then click Remove in the confirmation window.
    • All source types or data sources are selected. However, if new source types or data sources are added later, they aren't forwarded. In this case, use the Forward All to QRadar option instead.

      Example: A heavy forwarder monitors src_typ_a, src_typ_b, and src_typ_c.

      If you choose the Select All option, Splunk forwards src_typ_a, src_typ_b, and src_typ_c to QRadar. But if you add src_typ_d later, Splunk doesn't automatically forward it to QRadar; you must add it by using the app.

      If you choose the Forward All to QRadar option, Splunk forwards src_typ_a, src_typ_b, and src_typ_c to QRadar, and if you add src_typ_d later, Splunk automatically forwards it to QRadar.

  4. Select the data sources that you want to forward, and then click Add > Forward.
    To clear your selections from the forwarding queue and start again, click the X icon.

    Certain conditions are outlined on the Select Forwarders page. You must click to agree with these conditions before you can continue, or you must remove the heavy forwarders from the forwarding list. After you make your choice to agree or remove, click Step 2: Set Port for QRadar.

  5. On the Set Port for QRadar page, set the IP address and TCP port number of the QRadar console for each Splunk instance, and click Set. Any Windows-based sources are displayed, with configuration options to choose from.
    Tips:
    • In general, use port 514 to forward data to QRadar. To forward TCP multiline events, use port 12468.
    • Click Preview to see the content of the data source before you decide to forward it. This view is useful for non-administrative users to copy the information and send to an administrator to change the Splunk instance. After you copy the data to a clipboard, modify the appropriate files (props.conf, transforms.conf, outputs.conf).
    • If QRadar App for Splunk Data Forwarding detects a source to be Windows-based, but it's not, you can still forward the logs to port 514.
  6. For each Splunk source that QRadar App for Splunk Data Forwarding detects as a Windows source, select one of the following configuration options.
    • If you want to create a log source on the QRadar console, select Automatically create Windows log source on QRadar.
    • If you want to create and configure a log source as a gateway log source, select Configure log source as a gateway (to identify logs coming in from various sources).
    • If you want to manually create a log source on QRadar, see Adding a log source.
  7. After you finish setting up the ports, click Set > Step 3: Finish > Finish
    Before Splunk can start forwarding the data to QRadar, the app must restart the Splunk instance. Click Finish, and then click Close after the Splunk instance restarts.
  8. If you need to change the username or password for a Splunk instance, click Edit. You cannot change the IP address or port number.
  9. To stop Splunk from forwarding data to QRadar, go to the Forwarded Data Sources tab, select the relevant Splunk instances, and click Stop Forwarding.

Results

The data from the selected sources starts to appear in the Log Activity tab as events in QRadar. You can identify them by their Source IP.

Each instance in the Splunk Instances tab includes information about which user created the instance, which users started or stopped data forwarding, and when the content for the instance was last refreshed.