https://community.splunk.com/t5/Getting-Data-In/Unable-to-forward-syslogs-coming-in-from-UDP-514/m-p/236147#M45920 <P>Xrtan,</P> <P>You did not specified index on each input stanza. Did you enable receiving port 9997 on the Indexer ?</P> Tue, 19 Jan 2016 13:09:43 GMT alemarzu 2016-01-19T13:09:43Z https://community.splunk.com/t5/Getting-Data-In/Unable-to-forward-syslogs-coming-in-from-UDP-514/m-p/236146#M45919 <P>Here is my setup on my Heavy Forwarder</P> <P><STRONG>inputs.conf</STRONG> </P> <PRE><CODE>[udp://:514] sourcetype = syslog connection_host = ip disabled = 0 [tcp://:514] sourcetype = syslog connection_host = ip disabled = 0 </CODE></PRE> <P><STRONG>outputs.conf</STRONG></P> <PRE><CODE>[tcpout] defaultGroup = indexers [tcpout:indexers] server = &lt; ip-address &gt;:9997, &lt; ip-address &gt;:9997 </CODE></PRE> <P>However, on my indexers, I'm only able to see source tcp:514. My UDP syslogs are not being indexed. </P> <P>Any idea where went wrong?</P> <P><STRONG>EDIT (resolved):</STRONG><BR /> Just to update, configured my props.conf and solve the issue</P> <P>Old configuration:<BR /> [host::10.1.1.1]<BR /> TRANSFORMS-change = change</P> <P>Corrected configuration:<BR /> [source::udp:514]<BR /> TRANSFORMS-change = change</P> <P>Hope this might be useful to anyone who is trying to achieve something similar to what i'm trying</P> Tue, 19 Jan 2016 07:50:09 GMT https://community.splunk.com/t5/Getting-Data-In/Unable-to-forward-syslogs-coming-in-from-UDP-514/m-p/236146#M45919 xrtan 2016-01-19T07:50:09Z https://community.splunk.com/t5/Getting-Data-In/Unable-to-forward-syslogs-coming-in-from-UDP-514/m-p/236147#M45920 <P>Xrtan,</P> <P>You did not specified index on each input stanza. Did you enable receiving port 9997 on the Indexer ?</P> Tue, 19 Jan 2016 13:09:43 GMT https://community.splunk.com/t5/Getting-Data-In/Unable-to-forward-syslogs-coming-in-from-UDP-514/m-p/236147#M45920 alemarzu 2016-01-19T13:09:43Z https://community.splunk.com/t5/Getting-Data-In/Unable-to-forward-syslogs-coming-in-from-UDP-514/m-p/236148#M45921 <P>Hi alemarzu, the event are going into default index main. 9997 is enabled on indexer too. <BR /> The indexer is indexing events from tcp:514 but not udp:514. </P> Wed, 20 Jan 2016 00:06:37 GMT https://community.splunk.com/t5/Getting-Data-In/Unable-to-forward-syslogs-coming-in-from-UDP-514/m-p/236148#M45921 xrtan 2016-01-20T00:06:37Z https://community.splunk.com/t5/Getting-Data-In/Unable-to-forward-syslogs-coming-in-from-UDP-514/m-p/236149#M45922 <P>Did you tried to search those events directly on the Heavy Forwarder first ? (udp:514)<BR /> What about rules on your firewall, did you check them ?</P> Wed, 20 Jan 2016 20:23:05 GMT https://community.splunk.com/t5/Getting-Data-In/Unable-to-forward-syslogs-coming-in-from-UDP-514/m-p/236149#M45922 alemarzu 2016-01-20T20:23:05Z https://community.splunk.com/t5/Getting-Data-In/Unable-to-forward-syslogs-coming-in-from-UDP-514/m-p/236150#M45923 <P>if i were to use indexandForward it will be able to index, however not able to send out.<BR /> Firewall has been turned off. Anyhow, i've figured out what went wrong. Thanks for the help, cheers.</P> Fri, 22 Jan 2016 08:17:41 GMT https://community.splunk.com/t5/Getting-Data-In/Unable-to-forward-syslogs-coming-in-from-UDP-514/m-p/236150#M45923 xrtan 2016-01-22T08:17:41Z https://community.splunk.com/t5/Getting-Data-In/Unable-to-forward-syslogs-coming-in-from-UDP-514/m-p/236151#M45924 <P>Great xrtan, do you mind sharing the answers, it may help other members. </P> Fri, 22 Jan 2016 12:49:07 GMT https://community.splunk.com/t5/Getting-Data-In/Unable-to-forward-syslogs-coming-in-from-UDP-514/m-p/236151#M45924 alemarzu 2016-01-22T12:49:07Z