Subscribe to the Taegis™ XDR Documentation RSS Feed at .

Learn more about RSS readers or RSS browser extensions.

Splunk Heavy Forwarder

integrations data collectors splunk

Setting up Secureworks® Taegis™ XDR to receive data from Splunk Heavy Forwarder involves configuring the Splunk forwarder to send the desired logs via syslog to a Secureworks® Taegis™ XDR On-Premises Data Collector deployment.


While Secureworks® Taegis™ XDR supports Splunk Heavy Forwarder transport, if your Splunk environment uses a Linux server running Syslog-ng or Rsyslog to receive logs from your networking equipment, it may be more efficient to configure that Syslog-ng or Rsyslog server to forward logs to a Secureworks® Taegis™ XDR Collector instead of using Splunk Heavy Forwarder.

Configuring a Splunk Heavy Forwarder to send data to Secureworks® Taegis™ XDR involves updating the outputs.conf file for Splunk Heavy Forwarder.

Splunk Heavy Forwarder

Copy the following configuration into outputs.conf, substituting the server destination with your Taegis™ XDR Collector FQDN or IP:


useSSL = false
server=IP/HostnameOfOn-Prem Collector:601


Do not alter TCP port 601, as the collector uses it to gather syslogs.

For more information on Splunk Heavy Forwarder, see Forwarding Data at the Splunk Documentation site.


Logs transported via Splunk Heavy Forwarder must be in the respective formats specified on the configuration page for each source. For example, Microsoft Windows Event Log must be formatted in the “Snare over Syslog” format as specified in Microsoft Windows Event Log.


On this page: