https://community.splunk.com/t5/Getting-Data-In/Selectively-forwarding-syslog-to-a-syslog-server/m-p/28435#M4859 <P>If you want to forward a subset of your events as syslog, read this document :<BR /> <A href="http://docs.splunk.com/Documentation/Splunk/5.0.1/Deploy/Routeandfilterdatad#Replicate_a_subset_of_data_to_a_third-party_system">http://docs.splunk.com/Documentation/Splunk/5.0.1/Deploy/Routeandfilterdatad#Replicate_a_subset_of_data_to_a_third-party_system</A></P> Fri, 28 Dec 2012 01:07:54 GMT yannK 2012-12-28T01:07:54Z https://community.splunk.com/t5/Getting-Data-In/Selectively-forwarding-syslog-to-a-syslog-server/m-p/28431#M4855 <P>Hi,</P> <P>I have a number of syslog feeds coming into my indexer on udp port 514.</P> <P>I want to forward the syslog from one of the hosts on to another syslog server.</P> <P>I have set up entries in inputs.conf, props.conf, and transforms.conf, and can successfully forward all syslog data to the syslog server, but cannot do as the manual suggests, and forward from one host.</P> <P>If I use [syslog] as the stanza name in props.conf, all syslog gets forwarded as one would expect.</P> <P>If I use [source::upd:514] as the stanza in props.conf, the same - all syslog gets forwarded.</P> <P>If however, I do as the manual suggests, and use [host::hostname] - nothing gets forwarded. I have also tried using the IP Address instead of the hostname, still nothing.</P> <P>Am I missing something obvious here ?</P> <P>Thanks.</P> Mon, 05 Dec 2011 13:09:26 GMT https://community.splunk.com/t5/Getting-Data-In/Selectively-forwarding-syslog-to-a-syslog-server/m-p/28431#M4855 JovanMilosevic 2011-12-05T13:09:26Z https://community.splunk.com/t5/Getting-Data-In/Selectively-forwarding-syslog-to-a-syslog-server/m-p/28432#M4856 <P>I believe hostname is referring to the value of host that is set in conjunction with a monitored file.</P> <P>Being that you are receiving these files via udp, your inputs.conf might look something like this:</P> <P>[udp://514]<BR /> connection_host = syslog.company.com<BR /> sourcetype = ltm_log<BR /> source = ltm</P> <P>In this example, you would set hostname to syslog.company.com in props.conf.</P> Mon, 28 Sep 2020 12:41:45 GMT https://community.splunk.com/t5/Getting-Data-In/Selectively-forwarding-syslog-to-a-syslog-server/m-p/28432#M4856 AppServices 2020-09-28T12:41:45Z https://community.splunk.com/t5/Getting-Data-In/Selectively-forwarding-syslog-to-a-syslog-server/m-p/28433#M4857 <P>Have a look at the <A href="http://docs.splunk.com/Documentation/Splunk/5.0/admin/outputsconf">specs for outputs.conf</A></P> <P>At the end of that page , you will find a section detailing how to configure props.conf, transforms.conf and outputs.conf to route events to another syslog server</P> Thu, 25 Oct 2012 20:34:59 GMT https://community.splunk.com/t5/Getting-Data-In/Selectively-forwarding-syslog-to-a-syslog-server/m-p/28433#M4857 Damien_Dallimor 2012-10-25T20:34:59Z https://community.splunk.com/t5/Getting-Data-In/Selectively-forwarding-syslog-to-a-syslog-server/m-p/28434#M4858 <P>Why manual are you referring to?</P> Thu, 25 Oct 2012 21:13:57 GMT https://community.splunk.com/t5/Getting-Data-In/Selectively-forwarding-syslog-to-a-syslog-server/m-p/28434#M4858 bmacias84 2012-10-25T21:13:57Z https://community.splunk.com/t5/Getting-Data-In/Selectively-forwarding-syslog-to-a-syslog-server/m-p/28435#M4859 <P>If you want to forward a subset of your events as syslog, read this document :<BR /> <A href="http://docs.splunk.com/Documentation/Splunk/5.0.1/Deploy/Routeandfilterdatad#Replicate_a_subset_of_data_to_a_third-party_system">http://docs.splunk.com/Documentation/Splunk/5.0.1/Deploy/Routeandfilterdatad#Replicate_a_subset_of_data_to_a_third-party_system</A></P> Fri, 28 Dec 2012 01:07:54 GMT https://community.splunk.com/t5/Getting-Data-In/Selectively-forwarding-syslog-to-a-syslog-server/m-p/28435#M4859 yannK 2012-12-28T01:07:54Z