https://community.splunk.com/t5/Getting-Data-In/forwarder-Logs/m-p/537406#M90069 <P>Thanks. This configuration seems to be correct.</P><P>1) send to splunk idx</P><P>2) send to syslog server with udp to port 514</P><P>Actually you could drop away&nbsp;<SPAN>[tcpout-server://10.x.x.1:9997] as you don't define&nbsp;</SPAN>anything there.</P><P>So what was your actual issue?</P> Wed, 27 Jan 2021 12:54:05 GMT isoutamo 2021-01-27T12:54:05Z https://community.splunk.com/t5/Getting-Data-In/forwarder-Logs/m-p/537394#M90066 <P>Hi,</P><P>&nbsp;I am forwarding&nbsp; logs to indexer and&nbsp; also to third party server&nbsp; from my universal forwarder</P><P>I am sure what we are configured on inputs.conf&nbsp; that only logs will send to indexer</P><P>Now I have added another third party server on my&nbsp; outputs.conf , so my question will it sent whole logs or only the inputs.conf file log ..?</P><P>&nbsp;</P> Wed, 27 Jan 2021 11:01:07 GMT https://community.splunk.com/t5/Getting-Data-In/forwarder-Logs/m-p/537394#M90066 splkadmin 2021-01-27T11:01:07Z https://community.splunk.com/t5/Getting-Data-In/forwarder-Logs/m-p/537400#M90067 <P>Can you paste your inputs.conf and outputs.conf here with masked sensitive information? Then it's easier help you.</P><P>r. Ismo</P> Wed, 27 Jan 2021 12:01:48 GMT https://community.splunk.com/t5/Getting-Data-In/forwarder-Logs/m-p/537400#M90067 isoutamo 2021-01-27T12:01:48Z https://community.splunk.com/t5/Getting-Data-In/forwarder-Logs/m-p/537404#M90068 <P>Pls find the info below</P><P>cat splunkforwarder/etc/apps/search/local/inputs.conf<BR />[monitor:///var/log]<BR />disabled = false<BR />index = linux<BR />sourcetype = linux_logs</P><P>[monitor:///vitent/skipper/logs.log]<BR />disabled = false<BR />index = linux<BR />sourcetype = linux_logs</P><P><BR />sudo cat splunkforwarder/etc/system/local/outputs.conf<BR />[tcpout]<BR />defaultGroup = default-autolb-group,thirdparty</P><P>[tcpout:default-autolb-group]<BR />server = 10.x.x.1:9997</P><P>[tcpout-server://10.x.x.1:9997]</P><P>[tcpout:thirdparty]<BR />server = 10.x.x.x:514<BR />sendCookedData = false</P> Wed, 27 Jan 2021 12:33:53 GMT https://community.splunk.com/t5/Getting-Data-In/forwarder-Logs/m-p/537404#M90068 splkadmin 2021-01-27T12:33:53Z https://community.splunk.com/t5/Getting-Data-In/forwarder-Logs/m-p/537406#M90069 <P>Thanks. This configuration seems to be correct.</P><P>1) send to splunk idx</P><P>2) send to syslog server with udp to port 514</P><P>Actually you could drop away&nbsp;<SPAN>[tcpout-server://10.x.x.1:9997] as you don't define&nbsp;</SPAN>anything there.</P><P>So what was your actual issue?</P> Wed, 27 Jan 2021 12:54:05 GMT https://community.splunk.com/t5/Getting-Data-In/forwarder-Logs/m-p/537406#M90069 isoutamo 2021-01-27T12:54:05Z https://community.splunk.com/t5/Getting-Data-In/forwarder-Logs/m-p/537412#M90070 <P><SPAN>send to syslog server with udp to port 514</SPAN></P><P><SPAN>I want to know&nbsp; what are the logs will&nbsp; sent to syslog server through universal forwarder to thirdy party? only the logs I defined in inputs.conf&nbsp; ?</SPAN></P> Wed, 27 Jan 2021 13:14:05 GMT https://community.splunk.com/t5/Getting-Data-In/forwarder-Logs/m-p/537412#M90070 splkadmin 2021-01-27T13:14:05Z https://community.splunk.com/t5/Getting-Data-In/forwarder-Logs/m-p/537416#M90071 <P>With your current configuration it sends all logs to the both target (indexer and syslog).</P><P>If you want to send some logs to both and some to only one then you need remove remote-server from default and add into inputs.conf _SYSLOG_ROUTING = &lt;remote group stanza name in outputs.conf for syslog target&gt; to send only that one. That must do on every monitoring stanza.&nbsp;</P><P><A href="https://docs.splunk.com/Documentation/Splunk/7.3.3/Admin/Inputsconf" target="_blank">https://docs.splunk.com/Documentation/Splunk/7.3.3/Admin/Inputsconf</A></P><P>There is also _TCP_ROUTING parameter which is used with indexers.</P><P>&nbsp;</P> Wed, 27 Jan 2021 13:33:51 GMT https://community.splunk.com/t5/Getting-Data-In/forwarder-Logs/m-p/537416#M90071 isoutamo 2021-01-27T13:33:51Z