https://community.splunk.com/t5/Getting-Data-In/Can-t-get-UF-to-translate-cooked-to-plain-old-syslog/m-p/50932#M9768 <P>I'm trying to use splunkforwarder-4.2.2-101277-linux-2.6-x86_64.rpm as an aggregator and translator for a bunch of Splunk servers sending cooked format to forward to one (now) or more (eventually) plain old syslog servers. This should be really easy, but I seem to be missing something important.</P> <P>Basically, I want:</P> <PRE><CODE>[ Splunk(s) ] --cooked--&gt; [ UF ] --syslog--&gt; [ syslog(s) ] </CODE></PRE> <P>If I use [tcpout] in outputs.conf I can get it to sort-of work, except the syslog server receives gibberish when I sniff it. When I try to use [syslog] I get nothing actually forwarded and an error in splunkd.log:<BR /> ERROR TcpOutputProc - LightWeightForwarder/UniversalForwarder not configured. Please configure outputs.conf.</P> <P>I've tried every combination I can think of, and per /opt/splunkforwarder/etc/system/README/outputs.conf.example even various props.conf and transforms.conf even though lots of folks say that the UF won't parse or use those. I've searched the forums and Googled for hours, and still no matter what, I get an error and nothing, or gibberish. The 3 test machines I'm using (regular Splunk sending cooked, UF, and plain old syslog) are all on the same subnet and switch, and can all talk to each other just fine. As noted, it even almost kinda works, except for the "plain old" syslog part. My syslog server is running syslog-ng and it is listening on 514 UDP. But I'm verifying via tcpdump, so I'm not even worried about that part yet. The stuff that gets there is not the same stuff I'm sending from Splunk.</P> <P>Unless I have [tcpout] in outputs.conf I get the "ERROR TcpOutputProc ..." but I suspect that that's what sending gibberish instead of plain old text.</P> <P>What silly, basic thing am I missing?</P> <P>inputs.conf</P> <PRE><CODE>[default] host = my_suf [splunktcp://:9997] </CODE></PRE> <P>outputs.conf = sends nothing, get "ERROR TcpOutputProc ..." above</P> <PRE><CODE>[syslog] defaultGroup = plainoldsyslog [syslog:plainoldsyslog] disabled = false server = 192.168.1.100:514 type = tcp </CODE></PRE> <P>outputs.conf = sends something, but per tcpdump it's not the plain syslog text I want</P> <PRE><CODE>[tcpout] defaultGroup = plainoldsyslog [tcpout:plainoldsyslog] disabled = false server = 192.168.1.100:514 type = tcp sendCookedData = false compressed = false </CODE></PRE> Sat, 30 Jul 2011 06:38:56 GMT nisse 2011-07-30T06:38:56Z https://community.splunk.com/t5/Getting-Data-In/Can-t-get-UF-to-translate-cooked-to-plain-old-syslog/m-p/50932#M9768 <P>I'm trying to use splunkforwarder-4.2.2-101277-linux-2.6-x86_64.rpm as an aggregator and translator for a bunch of Splunk servers sending cooked format to forward to one (now) or more (eventually) plain old syslog servers. This should be really easy, but I seem to be missing something important.</P> <P>Basically, I want:</P> <PRE><CODE>[ Splunk(s) ] --cooked--&gt; [ UF ] --syslog--&gt; [ syslog(s) ] </CODE></PRE> <P>If I use [tcpout] in outputs.conf I can get it to sort-of work, except the syslog server receives gibberish when I sniff it. When I try to use [syslog] I get nothing actually forwarded and an error in splunkd.log:<BR /> ERROR TcpOutputProc - LightWeightForwarder/UniversalForwarder not configured. Please configure outputs.conf.</P> <P>I've tried every combination I can think of, and per /opt/splunkforwarder/etc/system/README/outputs.conf.example even various props.conf and transforms.conf even though lots of folks say that the UF won't parse or use those. I've searched the forums and Googled for hours, and still no matter what, I get an error and nothing, or gibberish. The 3 test machines I'm using (regular Splunk sending cooked, UF, and plain old syslog) are all on the same subnet and switch, and can all talk to each other just fine. As noted, it even almost kinda works, except for the "plain old" syslog part. My syslog server is running syslog-ng and it is listening on 514 UDP. But I'm verifying via tcpdump, so I'm not even worried about that part yet. The stuff that gets there is not the same stuff I'm sending from Splunk.</P> <P>Unless I have [tcpout] in outputs.conf I get the "ERROR TcpOutputProc ..." but I suspect that that's what sending gibberish instead of plain old text.</P> <P>What silly, basic thing am I missing?</P> <P>inputs.conf</P> <PRE><CODE>[default] host = my_suf [splunktcp://:9997] </CODE></PRE> <P>outputs.conf = sends nothing, get "ERROR TcpOutputProc ..." above</P> <PRE><CODE>[syslog] defaultGroup = plainoldsyslog [syslog:plainoldsyslog] disabled = false server = 192.168.1.100:514 type = tcp </CODE></PRE> <P>outputs.conf = sends something, but per tcpdump it's not the plain syslog text I want</P> <PRE><CODE>[tcpout] defaultGroup = plainoldsyslog [tcpout:plainoldsyslog] disabled = false server = 192.168.1.100:514 type = tcp sendCookedData = false compressed = false </CODE></PRE> Sat, 30 Jul 2011 06:38:56 GMT https://community.splunk.com/t5/Getting-Data-In/Can-t-get-UF-to-translate-cooked-to-plain-old-syslog/m-p/50932#M9768 nisse 2011-07-30T06:38:56Z https://community.splunk.com/t5/Getting-Data-In/Can-t-get-UF-to-translate-cooked-to-plain-old-syslog/m-p/50933#M9769 <P>The utterly failed to work at all for me, but dumping the UF and using regular Splunk as a forwarder with the same config files almost works... See <A href="http://splunk-base.splunk.com/answers/28438/no-time-or-host-in-forwarded-syslog-messages">http://splunk-base.splunk.com/answers/28438/no-time-or-host-in-forwarded-syslog-messages</A></P> Tue, 02 Aug 2011 23:27:27 GMT https://community.splunk.com/t5/Getting-Data-In/Can-t-get-UF-to-translate-cooked-to-plain-old-syslog/m-p/50933#M9769 nisse 2011-08-02T23:27:27Z https://community.splunk.com/t5/Getting-Data-In/Can-t-get-UF-to-translate-cooked-to-plain-old-syslog/m-p/50934#M9770 <P>Just to help people who may stumble across this, as of the current version (5.0.4), the Splunk Universal Forwarder is not capable of forwarding data in Syslog format. A Heavy Forwarder <EM>must</EM> be used to do this. </P> <P><STRONG>4.2.2 Docs</STRONG>: <A href="http://docs.splunk.com/Documentation/Splunk/4.2.2/Deploy/Forwarddatatothird-partysystemsd#Syslog_data">http://docs.splunk.com/Documentation/Splunk/4.2.2/Deploy/Forwarddatatothird-partysystemsd#Syslog_data</A> (Covering the version in question)</P> <P><STRONG>5.0.4 Docs</STRONG>: <A href="http://docs.splunk.com/Documentation/Splunk/5.0.4/Deploy/Forwarddatatothird-partysystemsd#Syslog_data">http://docs.splunk.com/Documentation/Splunk/5.0.4/Deploy/Forwarddatatothird-partysystemsd#Syslog_data</A></P> <P>Check the latest docs <A href="http://docs.splunk.com/Documentation/Splunk/latest/Deploy/Forwarddatatothird-partysystemsd">HERE</A> for any possible changes in this.</P> Wed, 04 Sep 2013 14:24:58 GMT https://community.splunk.com/t5/Getting-Data-In/Can-t-get-UF-to-translate-cooked-to-plain-old-syslog/m-p/50934#M9770 rturk 2013-09-04T14:24:58Z