Access Gate forwards its audit and alert streams over syslog (RFC 5424). This guide covers the Splunk-side configuration needed to ingest those events and extract the structured fields that detection rules depend on.
Prerequisites
- Access Gate configured to forward logs over TCP syslog to your Splunk indexer (or a heavy forwarder in front of it). See Log Forwarding and SIEM Export.
- Splunk Enterprise 9.x or Splunk Cloud with the ability to add custom inputs and props.
- A listener port. The examples use
5514/TCP; using port 514 directly requires running Splunk as root, which is not recommended.
Open a TCP Input
Add a TCP input that maps incoming Access Gate events to a dedicated sourcetype.
$SPLUNK_HOME/etc/system/local/inputs.conf:
[tcp://5514]
sourcetype = access_gate:syslog
index = access_gate
disabled = false
Create the index from Settings → Indexes → New Index (access_gate) before restarting Splunk so events are not dropped on first ingest.
Define the Sourcetype and Field Extractions
Access Gate emits events in RFC 5424 with structured data. Splunk's default syslog sourcetype handles RFC 3164 only, so define a custom sourcetype with explicit timestamping and a single regex extraction for the four Access Gate fields.
$SPLUNK_HOME/etc/system/local/props.conf:
[access_gate:syslog]
SHOULD_LINEMERGE = false
LINE_BREAKER = ([\r\n]+)
TIME_PREFIX = ^<\d+>\d+\s
TIME_FORMAT = %Y-%m-%dT%H:%M:%S.%6N%Z
MAX_TIMESTAMP_LOOKAHEAD = 32
EXTRACT-access_gate_fields = Log="(?<event_log>[^"]+)"\s+Mitre="(?<mitre>[^"]+)"\s+PrincipalIp="(?<src_ip>[^"]+)"\s+Rule="(?<rule>[^"]+)"
Restart Splunk after editing inputs/props:
sudo /opt/splunk/bin/splunk restart
This sourcetype extracts four fields from every Access Gate event:
| Field | Source | Example |
|---|---|---|
event_log | Log | user Alice Salmon logged in using screen CUI Access |
mitre | Mitre | ----- |
src_ip | PrincipalIp | 192.168.100.59 |
rule | Rule | Access Screen Login Attempt |
Validate the Extraction
Send a sample event to the input with nc and run a search to confirm field extraction before pointing the Access Gate at it:
echo '<130>1 2026-04-24T20:53:10.313Z access-gate vigil 334 ALERT [context@60446 Log="user Alice Salmon logged in using screen CUI Access" Mitre="-----" PrincipalIp="192.168.100.59" Rule="Access Screen Login Attempt"]' \
| nc -q1 splunk-indexer 5514
In Splunk Web, run:
index=access_gate sourcetype="access_gate:syslog" earliest=-15m
| table _time src_ip rule event_log
The hit should show src_ip, rule, and event_log populated.
Create a Saved Alert
From Search & Reporting, run a search that matches the events you want to alert on, then Save As → Alert:
index=access_gate sourcetype="access_gate:syslog" rule="Access Screen Login Attempt"
- Type: Real-time
- Trigger condition: Number of Results is greater than 0
- Trigger actions: as required (email, webhook, ServiceNow, etc.)
Repeat for each Access Gate rule you want to surface in Splunk.
Verify in the Dashboard
Trigger a login event from the Access Gate UI. In Splunk, run:
index=access_gate earliest=-15m
| stats count by rule, src_ip
The Access Gate event should appear with the extracted rule and src_ip fields populated.
Related
- Log forwarding and SIEM export — configure the syslog destination on the Access Gate side
- Detection and alerts — what populates the alert stream
- System logs and diagnostics information — on-box logs for troubleshooting