Recently IBM has provided the new version of Splunk forwarder app. This is a very useful tool for anybody using both systems. As we know Splunk and IBM QRadar are two of the top SIEM (Security Information and Event Management) products, but each of them offers different profits to users. Based on Gartner assessment, Splunk lacks specific advanced threat detection solutions. On the contrary, this feature is available in QRadar. For this particular reason is worth to re-route data collected by Splunk to QRadar.
A new version of the Splunk forwarder app
Latest Version 2.0.0 of Splunk forwarder app is available at X-Force extension repository. Many improvements have been added like, better User Interface or new workflow design. Also introduced the ability to configure the Splunk port number if you run the instance on different than default 8089 port. The other new feature is, to merge the two filter boxes into a dynamic search for instances based on location, description, and source types. Also, we could see upgraded pagination to view more than 10 instances at a time.
The app should run on the latest version of QRadar V7.2.8, V7.3.0, V7.3.1, and V7.3.2 and modern browsers.
Configuring of Splunk forwarder app
You can add single or multiple Splunk instances, configuring their hostname (or IP address), the port number used and user credentials for each instance. If you use a Splunk Deployment Server, you can connect to it and generate a CSV file that lists all of the Splunk servers that exist in the deployment. After adding credentials for each server listed in the file, just upload the file to the app.
The Splunk Data Forwarding app keeps data within an app database due to memory limitations. Once you add Splunk instances to the app, the QRadar extension initially connects to the Splunk instance and collects then stores all the data about that instance in own database.
Events generated by the app
The app can dispatch the following five audit events. Configuring the app, adding and deleting any Splunk instance as well as start and stop forwarding data. The app uses the LEEF format to log the auditing events.
Apart from audit events, you can see forwarded events. Depends on the configuration of Splunk instance, which can use a heavy or universal forwarder to send data, there will be different results. A Splunk universal forwarder cannot route data based on the contents. If you want to forward data to QRadar, you must forward all of the data.
If you select the Forward All to QRadar checkbox, Splunk forwards all data from a universal forwarder. In general, the app uses port 514 to forward data to QRadar. To forward multiline events, use port 12468. You can preview the content of the data source before you decide to forward it. This view is useful for non-administrative users to copy the information and send to an administrator to change the Splunk instance. Before Splunk can start forwarding the data to QRadar, the app must initiate a restart of the Splunk instance. To stop Splunk from forwarding data to QRadar, go to the Forwarded Data Sources tab, select the relevant Splunk instances, and click Stop Forwarding.