Universal and heavy forwarders

Some Splunk instances use heavy or universal forwarders to send data to third-party systems, including QRadar®. You must understand how they work so you can forward the data sources properly.

How data forwarding works

When QRadar App for Splunk Data Forwarding initially connects to the Splunk instance, the app collects and stores all the data about that instance in its database because the app memory is limited. All content retrieval is done from the app database. Click the Refresh icon to update the app with the latest source data available in the application database. Click Sync to synchronize an individual Splunk instance. The app reconnects to the server and collects the source data again.

If you want to forward Microsoft Windows events from Splunk, see Collect Windows events that are forwarded from Splunk appliances. (https://www.ibm.com/docs/en/qsip/7.5?topic=splunk-collecting-windows-events-that-are-forwarded-from). QRadar App for Splunk Data Forwarding 3.0.0 or later also support Windows event collection. Ensure that a TCP multiline port is configured on QRadar on port 12438.

Universal forwarders

A Splunk universal forwarder cannot route data based on the event contents; it can forward only unparsed data. If you want to forward data to QRadar, you must forward all of the data.

Heavy forwarders

If you choose to forward data from a heavy forwarder, an app with an ID called qradar_forwarding_app is created in the apps directory of your Splunk installation. The app includes up to three configuration files (props.conf, transforms.conf, outputs.conf) that determine how the data is forwarded from Splunk to QRadar.

  • If a default forwarding group exists, the existing forwarding functions might be superseded by the changes that are made in the transforms.conf and props.conf files by the app. A warning page appears for heavy forwarders that lists any forwarding groups.
  • If the data is not being forwarded, verify whether one of the following conditions applies:
    1. Conflicting rules in higher-priority configuration files might have precedence. You can choose to rewrite your rules so that they no longer conflict.
    2. The data might be ignored because of the blocklist in the Splunk configuration files.
    3. If your data is still not being forwarded as expected, refer to the Splunk Enterprise documentation (https://docs.spunk.com/Documentation/Splunk).
  • If internal logs were being forwarded, they aren't forwarded anymore because a blocklist setting is written to the outputs.conf configuration file.