topic Re: Forward specific syslog message to another system in Splunk Search

Forward specific syslog message to another system

nmobrien1977 — Thu, 18 Apr 2013 13:27:03 GMT

Hi,
I have splunk v5.0 running on RHEL and I want to forward all syslog messages %SYS-CONFIG-5 events from splunk to another system. I've been looking through the forum and have seen light/heavy forwaders etc and also seen about editing outputs.conf file. I'm not sure how to specifically go about doing this.

If someone can help, I'd appreciate it.

Thanks,
Neil

Re: Forward specific syslog message to another system

kristian_kolb — Thu, 18 Apr 2013 15:11:20 GMT

http://docs.splunk.com/Documentation/Splunk/latest/Deploy/Forwarddatatothird-partysystemsd

Re: Forward specific syslog message to another system

datasearchninja — Thu, 18 Apr 2013 15:17:35 GMT

You need the Heavy forwarder to be able to do this. The universal forwarder does not inspect events so you would not be able to forward based on a condition in the event.

The basic steps are:
1. Configure outputs.conf with the remote system. Don't set a default group, so by default you don't forward
2. Configure props.conf to run a transform for syslog source
3. Configure transforms.conf to set TCP routing when your condition is met

See the doco

Re: Forward specific syslog message to another system

bmacias84 — Thu, 18 Apr 2013 15:34:24 GMT

If you want to forward a subset of data to Splunk and a thirdpart you will have to use a concept called data routing and filtering. To acomplishing this you need a Heavy forwarder Installed instead of a Universal or Light Forwarder by editing outputs.conf, props.conf, and transforms.conf. By doing this you are sending raw syslog data to the another system.

If you have an Network like appliance you can have two syslog recepients list.

Additional Reading:

Forwarddatatothird-partysystemsd - Read Section called "Send a subset of data to a syslog server"
plunk-disaster-recovery?page=1&focusedAnswerId=60613#60613

Hope this helps or gets you started. Don't forget to accept and/or vote up answers.

Re: Forward specific syslog message to another system

nmobrien1977 — Tue, 23 Apr 2013 13:01:39 GMT

Thanks guys, but how do I know if I have a heavy forwarder or not?

Re: Forward specific syslog message to another system

kristian_kolb — Tue, 23 Apr 2013 14:01:45 GMT

You should know what you installed 🙂

There are two options, either you have a Universal Forwarder (no gui, no local indexing of events, located in /opt/splunkforwarder OR c:\program files\splunkuniversalforwarder)

a Heavy Forwarder, which is a regular Splunk instance which has been configured to forward incoming events (and possibly index them locally as well). GUI may optionally be turned off.

Re: Forward specific syslog message to another system

kristian_kolb — Tue, 23 Apr 2013 14:01:50 GMT

There is a possiblity that you don't have a forwarder AT ALL, but rather a standalone splunk indexer.

See this for info on where you can configure stuff.

http://wiki.splunk.com/Where_do_I_configure_my_Splunk_settings

PS. A Lightweight Forwarder is an older form of forwarder, now deprecated in favour of Universal Forwarder

Re: Forward specific syslog message to another system

bmacias84 — Tue, 23 Apr 2013 15:20:52 GMT

The full install of Splunk contains the Light Forwarder and Heavy Forwarder. Run ./splunk help if you see Splunkd and splunk web listed in status you have a full install, else its a UF. To check if HF or LF is enabled type ./splunk display app. If you see SplunkForwarder Enabled you have a HF or SplunkLightForwarder Enabled you have a LF.

Re: Forward specific syslog message to another system

nmobrien1977 — Mon, 28 Sep 2020 13:52:38 GMT

Hi Guys - thanks for your comments up to now, I've managed to get back to this.

So I've configured as per below but it's still not working, and I've no idea where to start looking for the reason why? I've also enabled the heavyforwarder. I'd appreciate some guidance, even if you just tell me where to look for some clues?

.................................................
outputs.conf
[syslog:MY_GROUP]
disabled = false
server = :514

.................................................

props.conf
[syslog]
TRANSFORMS-fwdsyslog = send_to_ncm
.................................................

transforms.conf
[send_to_ncm]
REGEX = SYS-5-CONFIG
DEST_KEY = _SYSLOG_ROUTING
FORMAT = MY_GROUP

Re: Forward specific syslog message to another system

bmacias84 — Fri, 10 May 2013 17:18:11 GMT

In your _raw data SYS-5-CONFIG is in every event? Why not just use REGEX = ., this regex will grab every syslog event. Everything else looks fine.

Re: Forward specific syslog message to another system

nmobrien1977 — Sat, 11 May 2013 09:41:45 GMT

THanks, I've actually tried it both ways, neither would work but I'm trying to match SYS-5-CONFIG just so I can initiate a config pull based on in. I don't need everything.