☰

🌙☀

Subscribe to the Taegis™ XDR Documentation RSS Feed at .

Learn more about RSS readers or RSS browser extensions.

Taegis Docs Home
About XDR
Get Started
- Get Started with XDR
- Top 5 Tasks
Integrate with XDR
- Integration Overview
- Data Source Integration Definitions
- All Available Integrations
- Add Data Collectors
- Add Endpoint Agents
- Forward Data to XDR
- Create Custom Parsers
  - Overview
  - Syntax
  - Repeating Fields
  - Overriding and Extending Global Parsers
  - Supported Schemas
  - All Schemas
    - Antivirus
    - Auth
    - CloudAudit
    - DHCP
    - DNS
    - Email
    - Encrypt
    - FileMod
    - HTTP
    - Management Event
    - Netflow
    - NIDS
    - Process
    - Registry
    - Thirdparty
    - Types
Manage Integrations
Alerts, Events, and Investigations
- Alerts
- Events
- Investigations
- CyberChef
Dashboards
Search and Reports
- Search
- Reports
Automation
- Automation Overview
- Supported Playbooks
- Supported Connectors
- Playbooks
- Connectors
- Automation Authoring
  - Building Connector Definitions
  - Building Playbook Templates
  - Common Expression Language (CEL)
Threat Intelligence, Hunting, and Detection
- Threat Intelligence
- Threat Hunting
  - Hunting with Jupyter Notebooks
- Detectors
- Adversary Software Coverage
  - Adversary Software Coverage
  - Frequently Asked Questions
XDR Admin
- Your Account
- Tenant Settings
APIs, SDK, and Magic
- Using XDR GraphQL APIs
- API Authentication
- XDR Python SDK
- Taegis Magic Jupyter Integration
  - Overview
- Alerts API
  - Using the Alerts API
  - Alerts GraphQL API
- Assets API
- Audits API
  - Using the Audits API
  - Audits GraphQL API
- Automations APIs
- Bring Your Own Threat Intelligence API
  - Using the BYOTI API
  - BYOTI GraphQL API
- Collector APIs
- Investigations API
  - Using the Investigations API
  - Investigations GraphQL API
- Threat Intelligence API
  - Using the Threat Intelligence API
  - Threat Intelligence GraphQL API
- Using the Users GraphQL API
- Using the Tenants GraphQL API
- Using the Countermeasures API
- Using the File Upload API
Secureworks Products, Services, and Policies
- Managed iSensor
- ManagedXDR
- ManagedXDR Elite
  - Service Description
  - Onboarding Guide
- ManagedXDR for OT
- ManagedXDR Enhanced
  - Service Description
  - Onboarding Guide
- ManagedXDR–Managed iSensor Add-on
- Secureworks Professional Services
- Legal

Splunk Heavy Forwarder

integrations data collectors splunk

Setting up Secureworks® Taegis™ XDR to receive data from Splunk Heavy Forwarder involves configuring the Splunk forwarder to send the desired logs via syslog to a XDR On-Premises Data Collector deployment.

Note

While XDR supports Splunk Heavy Forwarder transport, if your Splunk environment uses a Linux server running Syslog-ng or Rsyslog to receive logs from your networking equipment, it may be more efficient to configure that Syslog-ng or Rsyslog server to forward logs to a XDR Collector instead of using Splunk Heavy Forwarder.

Configuring a Splunk Heavy Forwarder to send data to XDR involves updating the outputs.conf file for Splunk Heavy Forwarder.

Splunk Heavy Forwarder ⫘

Copy the following configuration into outputs.conf, substituting the server destination with your Taegis™ XDR Collector FQDN or IP:

[tcpout]
defaultGroup=local

[tcpout:local]
useSSL = false
sendCookedData=false
negotiateNewProtocol=false
server=IP/HostnameOfOn-Prem Collector:601

Note

Do not alter TCP port 601, as the collector uses it to gather syslogs.

For more information on Splunk Heavy Forwarder, see Forwarding Data at the Splunk Documentation site.

Note

Logs transported via Splunk Heavy Forwarder must be in the respective formats specified on the configuration page for each source. For example, Microsoft Windows Event Log must be formatted in the “Snare over Syslog” format as specified in Microsoft Windows Event Log.

On this page:

Splunk Heavy Forwarder