https://community.splunk.com/t5/Getting-Data-In/Forward-Logs-to-Third-Party-Syslog-Server-Not-able-to-receive/m-p/393225#M95632 <P>I am collecting windows machines logs though Universal Forwarder to Splunk Heavy Forwarder.</P> <P>UF STANZA - outputs.conf</P> <P>[tcpout]<BR /> defaultGroup=windows_index</P> <P>[tcpout:windows_index]<BR /> sendCookedData=false<BR /> server=192.168.1.172:9997</P> <HR /> <P>Heavy Forwarder STANZA - outputs.conf</P> <P>[tcpout:win_log_forw] <BR /> disabled=false<BR /> sendCookedData=false<BR /> server-192.168.1.182:514</P> <HR /> <P>Then forward log from Splunk Heavy Forwarder to Splunk Indexer and A third party syslog server.</P> <P>Challenge: Third party Syslog server is receiving data as parsed not the raw data </P> <P>Goal : need to receive the data on a raw format in the third party Syslog server.</P> <P>THIRD PARTY SYSLOG RECEVING LIKE BELOW( NOT RAW)</P> <P>2019-02-21T05:24:16.257287+00:00 192.168.1.172 /2019 09:24:14 PM#015<BR /> 2019-02-21T05:24:16.257287+00:00 192.168.1.172 LogName=Security#015<BR /> 2019-02-21T05:24:16.257287+00:00 192.168.1.172 SourceName=Microsoft Windows security auditing.#015<BR /> 2019-02-21T05:24:16.257287+00:00 192.168.1.172 EventCode=4648#015<BR /> 2019-02-21T05:24:16.257287+00:00 192.168.1.172 EventType=0#015<BR /> 2019-02-21T05:24:16.257287+00:00 192.168.1.172 Type=Information#015<BR /> 2019-02-21T05:24:16.257287+00:00 192.168.1.172 ComputerName=WIN-AEG45MM7137#015<BR /> 2019-02-21T05:24:16.257287+00:00 192.168.1.172 TaskCategory=Logon#015<BR /> 2019-02-21T05:24:16.257287+00:00 192.168.1.172 OpCode=Info#015<BR /> 2019-02-21T05:24:16.257287+00:00 192.168.1.172 RecordNumber=782#015</P> Tue, 29 Sep 2020 23:19:16 GMT lubinak 2020-09-29T23:19:16Z https://community.splunk.com/t5/Getting-Data-In/Forward-Logs-to-Third-Party-Syslog-Server-Not-able-to-receive/m-p/393225#M95632 <P>I am collecting windows machines logs though Universal Forwarder to Splunk Heavy Forwarder.</P> <P>UF STANZA - outputs.conf</P> <P>[tcpout]<BR /> defaultGroup=windows_index</P> <P>[tcpout:windows_index]<BR /> sendCookedData=false<BR /> server=192.168.1.172:9997</P> <HR /> <P>Heavy Forwarder STANZA - outputs.conf</P> <P>[tcpout:win_log_forw] <BR /> disabled=false<BR /> sendCookedData=false<BR /> server-192.168.1.182:514</P> <HR /> <P>Then forward log from Splunk Heavy Forwarder to Splunk Indexer and A third party syslog server.</P> <P>Challenge: Third party Syslog server is receiving data as parsed not the raw data </P> <P>Goal : need to receive the data on a raw format in the third party Syslog server.</P> <P>THIRD PARTY SYSLOG RECEVING LIKE BELOW( NOT RAW)</P> <P>2019-02-21T05:24:16.257287+00:00 192.168.1.172 /2019 09:24:14 PM#015<BR /> 2019-02-21T05:24:16.257287+00:00 192.168.1.172 LogName=Security#015<BR /> 2019-02-21T05:24:16.257287+00:00 192.168.1.172 SourceName=Microsoft Windows security auditing.#015<BR /> 2019-02-21T05:24:16.257287+00:00 192.168.1.172 EventCode=4648#015<BR /> 2019-02-21T05:24:16.257287+00:00 192.168.1.172 EventType=0#015<BR /> 2019-02-21T05:24:16.257287+00:00 192.168.1.172 Type=Information#015<BR /> 2019-02-21T05:24:16.257287+00:00 192.168.1.172 ComputerName=WIN-AEG45MM7137#015<BR /> 2019-02-21T05:24:16.257287+00:00 192.168.1.172 TaskCategory=Logon#015<BR /> 2019-02-21T05:24:16.257287+00:00 192.168.1.172 OpCode=Info#015<BR /> 2019-02-21T05:24:16.257287+00:00 192.168.1.172 RecordNumber=782#015</P> Tue, 29 Sep 2020 23:19:16 GMT https://community.splunk.com/t5/Getting-Data-In/Forward-Logs-to-Third-Party-Syslog-Server-Not-able-to-receive/m-p/393225#M95632 lubinak 2020-09-29T23:19:16Z https://community.splunk.com/t5/Getting-Data-In/Forward-Logs-to-Third-Party-Syslog-Server-Not-able-to-receive/m-p/393226#M95633 <P>Help Please</P> Fri, 22 Feb 2019 19:00:11 GMT https://community.splunk.com/t5/Getting-Data-In/Forward-Logs-to-Third-Party-Syslog-Server-Not-able-to-receive/m-p/393226#M95633 lubinak 2019-02-22T19:00:11Z https://community.splunk.com/t5/Getting-Data-In/Forward-Logs-to-Third-Party-Syslog-Server-Not-able-to-receive/m-p/393227#M95634 <P>hello, whether you were able to fix it? I am having same issue as well.</P> Wed, 03 Jul 2019 13:57:18 GMT https://community.splunk.com/t5/Getting-Data-In/Forward-Logs-to-Third-Party-Syslog-Server-Not-able-to-receive/m-p/393227#M95634 spectrum2035 2019-07-03T13:57:18Z https://community.splunk.com/t5/Getting-Data-In/Forward-Logs-to-Third-Party-Syslog-Server-Not-able-to-receive/m-p/393228#M95635 <P>The data in this old question looks like raw data to me. This is just plain windows logs being sent line by line over syslog and then the syslog server writing it to disk adding a timestamp and hostname (ip address in this case) in front of each line (because syslog thinks each line is an event).</P> <P>Getting rid of timestamp and hostname is probably just a matter of using a different template for writing to disk on the syslog server. Same for the #15, that is the syslog daemon replacing the carriage return (\r) control character with something readable. There is a syslog setting to disable that: <CODE>$EscapeControlCharactersOnReceive off</CODE></P> <P>In general I think it is a really bad idea to send this kind of complex multiline events over syslog like this. That is bound to get messed up somehow as syslog daemons are not very good at dealing with multiline data.</P> Wed, 03 Jul 2019 15:06:46 GMT https://community.splunk.com/t5/Getting-Data-In/Forward-Logs-to-Third-Party-Syslog-Server-Not-able-to-receive/m-p/393228#M95635 FrankVl 2019-07-03T15:06:46Z https://community.splunk.com/t5/Getting-Data-In/Forward-Logs-to-Third-Party-Syslog-Server-Not-able-to-receive/m-p/393229#M95636 <P>Hi FrankVI,</P> <P>Thanks for your reply.. I did $EscapeControlCharactersOnReceive off enabled this one but it cuts off the data. I have posted a question in the Splunk answers (Windows Event logs sending to syslog) <A href="https://answers.splunk.com/answers/756494/windows-event-logs-sending-to-syslog.html">https://answers.splunk.com/answers/756494/windows-event-logs-sending-to-syslog.html</A> </P> Wed, 03 Jul 2019 15:48:05 GMT https://community.splunk.com/t5/Getting-Data-In/Forward-Logs-to-Third-Party-Syslog-Server-Not-able-to-receive/m-p/393229#M95636 spectrum2035 2019-07-03T15:48:05Z https://community.splunk.com/t5/Getting-Data-In/Forward-Logs-to-Third-Party-Syslog-Server-Not-able-to-receive/m-p/393230#M95637 <P>Can you send to the 3rd party server direct from the universal forwarder instead of the heavy forwarder? The main job of the heavy forwarder is to do some of the parsing work before sending to the indexers. </P> Wed, 03 Jul 2019 19:19:34 GMT https://community.splunk.com/t5/Getting-Data-In/Forward-Logs-to-Third-Party-Syslog-Server-Not-able-to-receive/m-p/393230#M95637 marycordova 2019-07-03T19:19:34Z https://community.splunk.com/t5/Getting-Data-In/Forward-Logs-to-Third-Party-Syslog-Server-Not-able-to-receive/m-p/393231#M95638 <P>i didnt tried it.. can we send it directly to the 3rd party system using UF. My understanding is that we need to HF.</P> Thu, 04 Jul 2019 08:40:43 GMT https://community.splunk.com/t5/Getting-Data-In/Forward-Logs-to-Third-Party-Syslog-Server-Not-able-to-receive/m-p/393231#M95638 spectrum2035 2019-07-04T08:40:43Z