https://community.splunk.com/t5/Getting-Data-In/Forwarding-data-from-Heavy-forwarder-to-syslog-server/m-p/473922#M81387 <P>Sorry, I was not very clear.<BR /> The props and transforms allows you to selectively send sourcetypes for routing - in case you didn't want to send everything to syslog you can use the routing config to be specific about which ones you do.</P> <P>With a default set, everything will get routed - if you only wanted a subset, remove the default group settings, and use the props/transforms.</P> <P>If you want everything you should not need the props/transforms</P> Wed, 19 Feb 2020 15:57:40 GMT nickhills 2020-02-19T15:57:40Z https://community.splunk.com/t5/Getting-Data-In/Forwarding-data-from-Heavy-forwarder-to-syslog-server/m-p/473916#M81381 <P>I setup syslog output forwarding per the Splunk docs, but am not seeing anything being sent out nor receiving it on the endpoint.</P> <P>Here is what I have applied on the heavyforwarder outputs.conf</P> <PRE><CODE>[tcpout] defaultGroup = indexer_group,forwarders_syslog useACK = true [tcpout:indexer_group] server = indexer_ip_address:indexer:port clientCert = xxxxxxxx maxQueueSize = 20MB sslPassword = xxxxxxxxx [tcpout:forwarders_syslog] server = syslog_ip:syslog_port clientCert = xxxxxxx maxQueueSize = 20MB sslPassword = xxxxxxxx blockOnCloning = false dropClonedEventsOnQueueFull = 10 useACK = false </CODE></PRE> <P><STRONG>Note :-</STRONG><BR /> The configuration for forwarding the data to syslog can be found under [tcpout:forwarders_syslog]</P> <P>The following errors are found on splunkd.log when the heavy forwarder trying to forward the logs to syslog server</P> <PRE><CODE> WARN TcpOutputProc - Cooked connection to ip=syslog_ip:syslog_port timed out ERROR TcpOutputFd - Connection to host=syslog_ip:syslog_port failed WARN TcpOutputFd - Connect to syslog_ip:syslog_port failed. Connection refused </CODE></PRE> <P>Also I do not see any connection issues when I'm trying to trouble shoot as follows :- </P> <P><STRONG>In heavy forwarder :-</STRONG> <BR /> Tried to telnet to the syslog server from heavyforwarder with the specified port and see that it's got conected. </P> <P><STRONG>In receiving server</STRONG> </P> <PRE><CODE>netstat -tnlp | grep rsyslog </CODE></PRE> <P>Tried the above and see that the specified port in Heavy forwarder is listening in TCP</P> <P>Not sure where and what else should I be checking to transfer the data whatever the heavyforwarder is currently transffering to Indexer also to a syslog server. </P> Tue, 18 Feb 2020 19:40:49 GMT https://community.splunk.com/t5/Getting-Data-In/Forwarding-data-from-Heavy-forwarder-to-syslog-server/m-p/473916#M81381 pavanae 2020-02-18T19:40:49Z https://community.splunk.com/t5/Getting-Data-In/Forwarding-data-from-Heavy-forwarder-to-syslog-server/m-p/473917#M81382 <P>Hi pavanae,</P> <P>Try sending some events using <CODE>nc</CODE> see this here <A href="https://superuser.com/questions/1229415/simple-way-to-generate-syslog-over-tcp">https://superuser.com/questions/1229415/simple-way-to-generate-syslog-over-tcp</A></P> <P>cheers, MuS</P> Tue, 18 Feb 2020 19:48:39 GMT https://community.splunk.com/t5/Getting-Data-In/Forwarding-data-from-Heavy-forwarder-to-syslog-server/m-p/473917#M81382 MuS 2020-02-18T19:48:39Z https://community.splunk.com/t5/Getting-Data-In/Forwarding-data-from-Heavy-forwarder-to-syslog-server/m-p/473918#M81383 <P>You need a <CODE>[syslog:&lt;target_group&gt;]</CODE> not a <CODE>[tcpout:forwarders_syslog]</CODE> group.</P> <P>remove:<BR /> <CODE>,forwarders_syslog</CODE> from [tcpout]</P> <P>add:</P> <PRE><CODE>[syslog] defaultGroup = forwarders_syslog </CODE></PRE> <P>Change the last stanza to</P> <PRE><CODE>[syslog:forwarders_syslog] server = syslog_ip:syslog_port #the below options are not supported #clientCert = xxxxxxx #maxQueueSize = 20MB #sslPassword = xxxxxxxx #blockOnCloning = false #dropClonedEventsOnQueueFull = 10 #useACK = false </CODE></PRE> <P><A href="https://docs.splunk.com/Documentation/Splunk/latest/Admin/Outputsconf#Syslog_output----">https://docs.splunk.com/Documentation/Splunk/latest/Admin/Outputsconf#Syslog_output----</A></P> <P>Once you have that you need to configure routing in props.conf and transforms.conf<BR /> See: <A href="https://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Forwarddatatothird-partysystemsd">https://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Forwarddatatothird-partysystemsd</A></P> <P>But quick example.</P> <P>props.conf</P> <PRE><CODE>[my sourcetype] TRANSFORMS-my_sourcetype_syslog = send_to_syslog </CODE></PRE> <P>transforms.conf</P> <PRE><CODE>[send_to_syslog] REGEX = . DEST_KEY = _SYSLOG_ROUTING FORMAT = forwarders_syslog </CODE></PRE> Tue, 18 Feb 2020 19:50:26 GMT https://community.splunk.com/t5/Getting-Data-In/Forwarding-data-from-Heavy-forwarder-to-syslog-server/m-p/473918#M81383 nickhills 2020-02-18T19:50:26Z https://community.splunk.com/t5/Getting-Data-In/Forwarding-data-from-Heavy-forwarder-to-syslog-server/m-p/473919#M81384 <P>Thank you @nickhillscpl Is it ok to specify 2 default groups as mentioned above. </P> <P>1 default group for tcpout and the other for syslog?</P> Tue, 18 Feb 2020 20:17:24 GMT https://community.splunk.com/t5/Getting-Data-In/Forwarding-data-from-Heavy-forwarder-to-syslog-server/m-p/473919#M81384 pavanae 2020-02-18T20:17:24Z https://community.splunk.com/t5/Getting-Data-In/Forwarding-data-from-Heavy-forwarder-to-syslog-server/m-p/473920#M81385 <P>yes, because they are defaults for tcp (splunk2splunk) or syslog<BR /> You are just configuring a default group for each type of output.</P> Tue, 18 Feb 2020 20:29:47 GMT https://community.splunk.com/t5/Getting-Data-In/Forwarding-data-from-Heavy-forwarder-to-syslog-server/m-p/473920#M81385 nickhills 2020-02-18T20:29:47Z https://community.splunk.com/t5/Getting-Data-In/Forwarding-data-from-Heavy-forwarder-to-syslog-server/m-p/473921#M81386 <P>Thanks again <a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/23295">@nickhills</a>. Is it mandatory to have the props and transforms. what happens if I don't have those props and tranforms for the send_to_syslog. </P> Wed, 30 Sep 2020 04:14:50 GMT https://community.splunk.com/t5/Getting-Data-In/Forwarding-data-from-Heavy-forwarder-to-syslog-server/m-p/473921#M81386 pavanae 2020-09-30T04:14:50Z https://community.splunk.com/t5/Getting-Data-In/Forwarding-data-from-Heavy-forwarder-to-syslog-server/m-p/473922#M81387 <P>Sorry, I was not very clear.<BR /> The props and transforms allows you to selectively send sourcetypes for routing - in case you didn't want to send everything to syslog you can use the routing config to be specific about which ones you do.</P> <P>With a default set, everything will get routed - if you only wanted a subset, remove the default group settings, and use the props/transforms.</P> <P>If you want everything you should not need the props/transforms</P> Wed, 19 Feb 2020 15:57:40 GMT https://community.splunk.com/t5/Getting-Data-In/Forwarding-data-from-Heavy-forwarder-to-syslog-server/m-p/473922#M81387 nickhills 2020-02-19T15:57:40Z https://community.splunk.com/t5/Getting-Data-In/Forwarding-data-from-Heavy-forwarder-to-syslog-server/m-p/473923#M81388 <P>Got it Thanks @nickhillscpl. Not sure what else needs to be verified I still do not see anything coming to my syslog server. Is there any way to troubleshoot the connection?</P> Wed, 19 Feb 2020 16:39:37 GMT https://community.splunk.com/t5/Getting-Data-In/Forwarding-data-from-Heavy-forwarder-to-syslog-server/m-p/473923#M81388 pavanae 2020-02-19T16:39:37Z