topic forwarding syslog to multiple endpoints in Getting Data In

forwarding syslog to multiple endpoints

ebailey — Wed, 02 Apr 2014 16:49:59 GMT

Hi,

I need to forwarded syslog data from a Splunk heavy forwarder to ArcSight. I can forward syslog to one ArcSight connector with no issues, but in order to scale I need to forward data to more than one connector. I cannot get that to work in Splunk.

Currently using 5.0.5 will be upgrading to 6.0.2 in the next couple of weeks.

outputs.conf

[syslog:arcsight_receiver]
server=xxxxxxx:514, xxxxxxx:514

Data is being forwarded to the first target, but not the second.

Any ideas?

Thanks!

Re: forwarding syslog to multiple endpoints

martin_mueller — Wed, 02 Apr 2014 16:54:41 GMT

Are you looking for cloning or load balancing?

Re: forwarding syslog to multiple endpoints

ebailey — Wed, 02 Apr 2014 16:56:02 GMT

load balancing - we need to scale across multiple connectors

Thanks!

Re: forwarding syslog to multiple endpoints

martin_mueller — Wed, 02 Apr 2014 16:59:34 GMT

Okay - I think the syslog output doesn't support that. You've used the LB syntax that works with tcpout outputs for Splunk receivers, but http://docs.splunk.com/Documentation/Splunk/6.0.2/Admin/outputsconf doesn't mention that ability:

[syslog]
defaultGroup = <target_group>, <target_group>, ...

[syslog:<target_group>]
server = [<ip>|<servername>]:<port>

That doesn't include optional comma-separated LB alternatives 😞

Re: forwarding syslog to multiple endpoints

ebailey — Wed, 02 Apr 2014 17:39:24 GMT

Thanks - the syntax seemed to imply it would work but I guess not. I saw the format with multiple target groups as the capability I needed.

Re: forwarding syslog to multiple endpoints

martin_mueller — Wed, 02 Apr 2014 18:45:12 GMT

Specifying multiple target groups clones the data instead.

Re: forwarding syslog to multiple endpoints

ebailey — Wed, 23 Apr 2014 16:31:49 GMT

Thanks for your help. Looks like I am out of luck.

Re: forwarding syslog to multiple endpoints

dmaislin_splunk — Wed, 23 Apr 2014 18:56:04 GMT

I have not tested this, but could something like this work?

props.conf:

[sourcetype_or_source_of_your_choosing]
TRANSFORMS-my_syslog_group = send_to_server1,send_to_server2

transforms.conf:

[send_to_server1]
DEST_KEY = _SYSLOG_ROUTING
FORMAT = my_syslog_group1

[send_to_server2]
DEST_KEY = _SYSLOG_ROUTING
FORMAT = my_syslog_group2

outputs.conf:

[syslog:my_syslog_group1]
server = myhostname1:514
type = tcp

[syslog:my_syslog_group2]
server = myhostname2:514
type = tcp

Re: forwarding syslog to multiple endpoints

SarahSplunk123 — Wed, 07 Oct 2015 09:25:54 GMT

Hello,

We tried it and had a peculiar behavior :
1st attempt : all sourcetypes were forwarded but db data sourcetype
2nd attempt none were forwarded to the second output, yet all were forwarded to the 1st one.

Do you have any idea why?
Any other solutions?

Best regards

Re: forwarding syslog to multiple endpoints

SarahSplunk123 — Wed, 07 Oct 2015 11:36:13 GMT

Hey,

It can be done as in Dan's post :
http://answers.splunk.com/answers/4083/can-i-route-some-data-as-syslog-output-to-multiple-destinations.html

Best regards