Hi,
I have splunk 6.0.2 installed with Splunk app for Windows 5.0.2.I can see the windows events in the windows app.I want to forward the logs to syslog server on port 514.Can anyone please inform the steps to follow the same.Thanks.
I have turned off the firewall of windows and linux machines.Still no success.
Also i have installed the universal forwarder on Windows machine and have given the indexing ip of the windows and port as 9997.
Can u inform are any changes required in the conf files of universal forwarder.
Thanks
I have modified outputs.conf as below:
[syslog]
defaultGroup=mysyslog
disabled = false
[syslog:mysyslog]
server=10.211.210.140:514 # the IP of the Linux machine
type=udp
I have turned off the firewall of windows and linux machines.Still no success.
Also i have installed the universal forwarder on Windows machine and have given the indexing ip of the windows and port as 9997.
Can u inform are any changes required in the conf files of universal forwarder.
Thanks
I have modified outputs.conf as below:
[syslog]
defaultGroup=mysyslog
disabled = false
[syslog:mysyslog]
server=10.211.210.140:514 # the IP of the Linux machine
type=udp
I have turned off the firewall of windows and linux machines.Still no success.
Also i have installed the universal forwarder on Windows machine and have given the indexing ip of the windows and port as 9997.
Can u inform are any changes required in the conf files of universal forwarder.
Thanks
Hi Mus,
Thanks for the above post!! I have read the docs of forwarding the data to third party.Below is my current scenario:
I have modified the conf files in \etc\System\local
1.inputs.conf:
[default]
host = WIN-ICJS9A8T038
[WinEventLog:Security]
disabled = 0
start-from = oldest
current-only=0
evt-dc-name =
evt-dns-name =
evt-resolve-ad-obj = 0
checkpointinterval = 5
[WinEventLog:System]
disabled = 0
start-from = oldest
current-only=0
evt-dc-name =
evt-dns-name =
evt-resolve-ad-obj = 0
checkpointinterval = 5
2.outputs.conf: [syslog]
defaultGroup=mysyslog disabled = false [syslog:mysysloggroup] server=10.210.155.131:514 # the IP of the Linux machine type=udp
3.props.conf [WinEventLog:security] TRANSFORMS-routing = sendtosyslog
[Perfmon:Network Interface] TRANSFORMS-routing = sendtosyslog
[syslog] TRANSFORMS-routing = sendtosyslog
But i am unable to recieve the logs on linux machine.Cau you plz help to resolve the issue.
Thanks.
I have turned off the firewall of windows and linux machines.Still no success.
Also i have installed the universal forwarder on Windows machine and have given the indexing ip of the windows and port as 9997.
Can u inform are any changes required in the conf files of universal forwarder.??and what more to do to receive the logs on linux machine
Thanks
your outputs.conf
looks strange, you're using a undefined name as defaultGroup
. Try something like this in outputs.conf
:
defaultGroup=
mysyslog
mysyslog`]
disabled = false
[syslog:
server=10.210.155.131:514 # the IP of the Linux machine
type=udp
beside this, all the usual debugging can help here like running tcpdump
on the indexer to see if there is something going out, check firewalls, routing and so on.....
Hi jyo,
you can find a perfect example in the docs about forward data to third party systems, it includes an example for syslog data.
cheers, MuS