Use syslog Forwarder to archive events longer than the Splunk limitation
Last Updated June 28, 2019
In your organization, a requirement exists to retain data longer than the configured or maximum Splunk retention setting permits. You seek a plan for retaining log events longer than the configured Splunk retention settings permit, possibly by redirecting events from Integrated Cyber Defense Exchange (ICDx) into another structure.
Create a syslog forwarder to direct the traffic to a syslog server with enough storage to retain the events. The syslog administrator will need to configure the syslog server to forward the events from ICDx to Splunk in the event that aggregating log events for search and analysis remains a requirement.
Q1. When configuring the syslog server to relay ICDx events collected from SEPM, when we look at fields in a single event, what is device_time? A1. Generically, "device_time" is "the time that the event occurred at the device". In the context of SEP, this is when an event occurred on the SEP client.
Q2. Application and Device Control events are not arriving to ICDx from SEP clients. do you know if this is by design? A2. Currently, the SEP collector is limited to security events.
Q3. When configuring the syslog server to relay ICDx events collected from SEPM, when we look at fields in a single event, what is the timezone field? A3. The number of minutes that the reported Device Time is ahead or behind UTC. A number in the range -1,080 to +1,080.
Q4. Does TZ offset apply to all times in an entry? A4. No, all times recorded in the log events appear in epoch time, which is the number of seconds that have elapsed since 00:00:00 Thursday, 1 January 1970, Coordinated Universal Time (UTC), minus leap seconds. No matter what timezone the SEP client is in at the time an event occurs, all the timestamps are normalized to this format.
Subscribing will provide email updates when this Article is updated. Login is required to Subscribe