You have several possibilities to achieve that :
- Forward the events to splunk ESM Properties > Event Forwarding > Configure SPLUNKJas the syslog destination with the needed filters
- Create an alarm to trigger an email which will be sent to SPLUNK
- Create an alarm to execute remote command on the SPLUNK box something like logger to local file and get that file parsed in SPLUNK
I think there is even more possibilities as SPLUNK supports many different events sources.
Thanks for your feedback. Regarding the 1st possibulity, can we filter to forward triggered events (alarm) or just events are forwarded ?
Hi, Don't think it is possible, because alarms seem to be stored in a different special log. With the alarms you can choose multiple actions if the alarm triggers, so you should consider using option 2 or 3 in addition of your actual configured settings. Regards
So we've been looking at this recently forwarding events to an upstream ArcSight collector. What I'm shooting for in out setup( but this will take some serious tuning ) is forwarding based on a severity(I think?) threshold. Again, you really need to be tuning the event severities as honing in on these things takes time which I imagine most people don't keep up. You could also look at the possibly of utilizing a watchlist to do what you need?? Sorry, I'm not in front of the GUI so I'll try and check what I've played with so far in the next few days and possibly elaborate better.