Skip to content

Supported SC4S destinations

You can configure Splunk Connect for Syslog to use any destination available in syslog-ng OSE. Helpers manage configuration for the three most common destination needs:

  • Splunk HEC,
  • RFC5424 Syslog,
  • and Legacy BSD Syslog.

Note: Some external SIEM systems do not correctly parse host information. Instead of extracting the host from the message, they immediately rely on the header. SC4S, as a relay, places its own IP address in the UDP or TCP header, which is the correct behavior. In this situation, the SIEM may display the SC4S IP as the source IP, but this is not a fault of SC4S.

HEC destination

Configuration options

Variable Values Description
SC4S_DEST_SPLUNK_HEC_<ID>_URL url URL of the Splunk endpoint, this can be a single URL or a space-separated list.
SC4S_DEST_SPLUNK_HEC_<ID>_TOKEN string Splunk HTTP Event Collector token.
SC4S_DEST_SPLUNK_HEC_<ID>_MODE string “GLOBAL” or “SELECT”.
SC4S_DEST_SPLUNK_HEC_<ID>_TLS_VERIFY yes(default) or no Verify HTTP(s) certificates.
SC4S_DEST_SPLUNK_HEC_<ID>_HTTP_COMPRESSION yes or no(default) Compress outgoing HTTP traffic using the gzip method.

HTTP Compression

HTTP traffic compression helps to reduce network bandwidth usage when sending to a HEC destination. SC4S currently supports gzip for compressing transmitted traffic. Using the gzip compression algorithm can result in lower CPU load and increased utilization of RAM. The algorithm may also cause a decrease in performance by 6% to 7%. Compression affects the content but does not affect the HTTP headers. Enable batch packet processing to make the solution efficient, as this allows compression of a large number of logs at once.

Variable Values Description
SC4S_DEST_SPLUNK_HEC_<ID>_HTTP_COMPRESSION yes or no(default) Compress outgoing HTTP traffic using the gzip method.

Syslog standard destination

The use of “syslog” as a network protocol has been defined in Internet Engineering Task Force standards RFC5424, RFC5425, and RFC6587.

Configuration options

Variable Values Description
SC4S_DEST_SYSLOG_<ID>_HOST fqdn or ip The FQDN or IP of the target.
SC4S_DEST_SYSLOG_<ID>_PORT number 601 is the default when framed, 514 is the default when not framed.
SC4S_DEST_SYSLOG_<ID>_IETF yes/no, the default value is yes. Use IETF Standard frames.
SC4S_DEST_SYSLOG_<ID>_TRANSPORT tcp,udp,tls. The default value is tcp.
SC4S_DEST_SYSLOG_<ID>_MODE string “GLOBAL” or “SELECT”.

Send RFC5424 with frames

In this example, SC4S will send Cisco ASA events as RFC5424 syslog to a third party system.

The message format will be similar to: 123 <166>1 2022-02-02T14:59:55.000+00:00 kinetic-charlie - - - - %FTD-6-430003: DeviceUUID.

The destination name is taken from the environment variable, each destination must have a unique name. This value should be short and meaningful.

#env_file
SC4S_DEST_SYSLOG_MYSYS_HOST=172.17.0.1
SC4S_DEST_SYSLOG_MYSYS_PORT=514
SC4S_DEST_SYSLOG_MYSYS_MODE=SELECT
#filename: /opt/sc4s/local/config/app_parsers/selectors/sc4s-lp-cisco_asa_d_syslog_mysys.conf
application sc4s-lp-cisco_asa_d_syslog_mysys[sc4s-lp-dest-select-d_syslog_mysys] {
    filter {
        'cisco' eq "${fields.sc4s_vendor}"
        and 'asa' eq "${fields.sc4s_product}"
    };    
};

Send RFC5424 without frames

In this example SC4S will send Cisco ASA events to a third party system without frames.

The message format will be similar to: <166>1 2022-02-02T14:59:55.000+00:00 kinetic-charlie - - - - %FTD-6-430003: DeviceUUID.

#env_file
SC4S_DEST_SYSLOG_MYSYS_HOST=172.17.0.1
SC4S_DEST_SYSLOG_MYSYS_PORT=514
SC4S_DEST_SYSLOG_MYSYS_MODE=SELECT
# set to #yes for ietf frames
SC4S_DEST_SYSLOG_MYSYS_IETF=no 
#filename: /opt/sc4s/local/config/app_parsers/selectors/sc4s-lp-cisco_asa_d_syslog_mysys.conf
application sc4s-lp-cisco_asa_d_syslog_mysys[sc4s-lp-dest-select-d_syslog_mysys] {
    filter {
        'cisco' eq "${fields.sc4s_vendor}"
        and 'asa' eq "${fields.sc4s_product}"
    };    
};

Legacy BSD

In many cases, the actual configuration required is Legacy BSD syslog which is not a standard and was documented in RFC3164.

Variable Values Description
SC4S_DEST_BSD_<ID>_HOST fqdn or ip The FQDN or IP of the target.
SC4S_DEST_BSD_<ID>_PORT number, the default is 514.
SC4S_DEST_BSD_<ID>_TRANSPORT tcp,udp,tls, the default is tcp.
SC4S_DEST_BSD_<ID>_MODE string “GLOBAL” or “SELECT”.

Send legacy BSD

The message format will be similar to: <134>Feb 2 13:43:05.000 horse-ammonia CheckPoint[26203].

#env_file
SC4S_DEST_BSD_MYSYS_HOST=172.17.0.1
SC4S_DEST_BSD_MYSYS_PORT=514
SC4S_DEST_BSD_MYSYS_MODE=SELECT
#filename: /opt/sc4s/local/config/app_parsers/selectors/sc4s-lp-cisco_asa_d_bsd_mysys.conf
application sc4s-lp-cisco_asa_d_bsd_mysys[sc4s-lp-dest-select-d_bsd_mysys] {
    filter {
        'cisco' eq "${fields.sc4s_vendor}"
        and 'asa' eq "${fields.sc4s_product}"
    };    
};

Multiple destinations

SC4S can send data to multiple destinations. In the original setup the default destination accepts all events. This ensures that at least one destination receives the event, helping to avoid data loss due to misconfiguration. The provided examples demonstrate possible options for configuring additional HEC destinations.

Send all events to the additional destination

After adding this example to your basic configuration SC4S will send all events both to SC4S_DEST_SPLUNK_HEC_DEFAULT_URL and SC4S_DEST_SPLUNK_HEC_OTHER_URL.

#Note "OTHER" should be a meaningful name
SC4S_DEST_SPLUNK_HEC_OTHER_URL=https://splunk:8088
SC4S_DEST_SPLUNK_HEC_OTHER_TOKEN=${SPLUNK_HEC_TOKEN}
SC4S_DEST_SPLUNK_HEC_OTHER_TLS_VERIFY=no
SC4S_DEST_SPLUNK_HEC_OTHER_MODE=GLOBAL

Send only selected events to the additional destination

After adding this example to your basic configuration SC4S will send Cisco IOS events to SC4S_DEST_SPLUNK_HEC_OTHER_URL.

#Note "OTHER" should be a meaningful name
SC4S_DEST_SPLUNK_HEC_OTHER_URL=https://splunk:8088
SC4S_DEST_SPLUNK_HEC_OTHER_TOKEN=${SPLUNK_HEC_TOKEN}
SC4S_DEST_SPLUNK_HEC_OTHER_TLS_VERIFY=no
SC4S_DEST_SPLUNK_HEC_OTHER_MODE=SELECT

application sc4s-lp-cisco_ios_dest_fmt_other[sc4s-lp-dest-select-d_hec_fmt_other] {
    filter {
        'cisco' eq "${fields.sc4s_vendor}"
        and 'asa' eq "${fields.sc4s_product}"
    };
};

Advanced topic: Configure filtered alternate destinations

You may require more granularity for a specific data source. For example, you may want to send all Cisco ASA debug traffic to Cisco Prime for analysis. To accommodate this, filtered alternate destinations let you supply a filter to redirect a portion of a source’s traffic to a list of alternate destinations and, optionally, prevent matching events from being sent to Splunk. You configure this using environment variables:

Variable Values Description
SC4S_DEST_<VENDOR_PRODUCT>_ALT_FILTER syslog-ng filter Filter to determine which events are sent to alternate destinations.
SC4S_DEST_<VENDOR_PRODUCT>_FILTERED_ALTERNATES Comma or space-separated list of syslog-ng destinations. Send filtered events to alternate syslog-ng destinations using the VENDOR_PRODUCT syntax, for example, SC4S_DEST_CISCO_ASA_FILTERED_ALTERNATES.

This is an advanced capability, and filters and destinations using proper syslog-ng syntax must be constructed before using this functionality.

The regular destinations, including the primary HEC destination or configured archive destination, for example d_hec or d_archive, are not included for events matching the configured alternate destination filter. If an event matches the filter, the list of filtered alternate destinations completely replaces any mainline destinations, including defaults and global or source-based standard alternate destinations. Include them in the filtered destination list if desired.

Since the filtered alternate destinations completely replace the mainline destinations, including HEC to Splunk, a filter that matches all traffic can be used with a destination list that does not include the standard HEC destination to effectively turn off HEC for a given data source.