Skip to content

Splunk Heavy Forwarder

In certain network architectures such as those using data diodes or those networks requiring “in the clear” inspection at network egress SC4S can be used to accept specially formatted output from Splunk as RFC5424 syslog.

Key facts

  • RFC 5424 using port 601 (Framed)
Ref Link
Splunk Add-on None
Product Manual unknown


sourcetype notes
spectracom:ntp None
nix:syslog None

Sourcetype and Index Configuration

Index Source and Sourcetype will be used as determined by the Source/HWF

Splunk Configuration

  • Splunk MUST have props and transforms applied (Typically via add-ons)
  • This configuration will consume all output presuming no S2S is allowed no Splunk destnation will be used


#Because audit trail is protected and we can't transform it we can not use default we must use tcp_routing
defaultGroup = NoForwarding

server = localhost:9000
sendCookedData = false


TRANSFORMS-zza-syslog = syslog_canforward, metadata_meta,  metadata_source, metadata_sourcetype, metadata_index, metadata_host, metadata_subsecond, metadata_time, syslog_prefix, syslog_drop_zero
# The following applies for TCP destinations where the IETF frame is required
TRANSFORMS-zzz-syslog = syslog_octal, syslog_octal_append
# Comment out the above and uncomment the following for udp
#TRANSFORMS-zzz-syslog-udp = syslog_octal, syslog_octal_append, syslog_drop_zero

# We can't transform this source type its protected
TRANSFORMS-zza-syslog =
TRANSFORMS-zzz-syslog =


REGEX = ^.(?!audit)
FORMAT = nexthop

SOURCE_KEY = _meta
REGEX = (?ims)(.*)
FORMAT = ~~~SM~~~$1~~~EM~~~$0 
DEST_KEY = _raw

SOURCE_KEY = MetaData:Source
REGEX = ^source::(.*)$
FORMAT = s="$1"] $0
DEST_KEY = _raw

SOURCE_KEY = MetaData:Sourcetype
REGEX = ^sourcetype::(.*)$
FORMAT = st="$1" $0
DEST_KEY = _raw

SOURCE_KEY = _MetaData:Index
REGEX = (.*)
FORMAT = i="$1" $0
DEST_KEY = _raw

SOURCE_KEY = MetaData:Host
REGEX = ^host::(.*)$
FORMAT = " h="$1" $0
DEST_KEY = _raw

SOURCE_KEY = _time
REGEX = (.*)
FORMAT = <1>1 - - SPLUNK - COOKED [fields@274489 $0
DEST_KEY = _raw

SOURCE_KEY = _time
REGEX = (.*)
FORMAT =  t="$1$0
DEST_KEY = _raw

SOURCE_KEY = _meta
REGEX = \_subsecond\:\:(\.\d+)
FORMAT = $1 $0
DEST_KEY = _raw

INGEST_EVAL= mlen=length(_raw)+1

INGEST_EVAL = _raw=mlen + " " + _raw

INGEST_EVAL = queue=if(mlen<10,"nullQueue",queue)