Splunk Search

How to configure heavy forwarder created with TCP/UDP 514 input to forward syslog message?

kenchoi
Explorer

I would like to configure the heavy forwarder to forward the syslog message to indexer. The forwarder is created with TCP/UDP 514 input for listening the syslog data, however nothing can be searched from the indexer.

I have installed the Deployment monitor app and the forwarders have data coming in.

Is there any configuration need to be done in the indexer?

Following is the info from deployment monitor app

Hostname:
linux01
Current Status:
active
Last Time Data Received:
06/20/2014 03:15:51
Forwarder Type:
heavy forwarder
Splunk Version:
6.1.1
Platform:
Linux on x86_64
Source IP:
192.168.8.5
Destination Port:
9997
Connections This Period:
23
Average KB Per Second:
38.1618
Average Events Per Second:
3.1206

0 Karma

splunker12er
Motivator

Create a syslog.conf file to get the tcp,UDP inputs and save it to a location on heavy forwarder with the hostname. then using inputs.conf file monitor stanza read the files...

0 Karma

kenchoi
Explorer

Thanks for your advice.

However, our requirements need to configure the forwarder to receive the syslog messages through network

0 Karma

pmdba
Builder

You will need to customize whatever app is accepting your syslog data with an "outputs.conf" file. Otherwise your heavy forwarder will index your syslog data locally instead of sending it on. I would highly recommend using the UniversalForwarder instead of the full Splunk installation, especially if you have no need to index this data on the source host. Read up in the documentation on distributed architectures, the Deployment Server, and Deployment Apps as well.

pmdba
Builder

Your inputs.conf file should also specify the index name.

[tcp://514]
index = my_index_name
sourcetype = syslog

There really isn't anything else to configure on the indexer in terms of inputs - everything is defined on the forwarder. The only other thing I can think of is to make sure that syslog is actually writing data to that port.

0 Karma

kenchoi
Explorer

I notice that the forwarder has sent something to the indexer at the deployment monitor app.

I think it may be the indexer don't know how to handle the syslog traffic. As there is not much information in the documents to state that the configuration required at the indexer(e.g create data input etc.). I would like to have help from this.

0 Karma

kenchoi
Explorer

Thanks. I have tried the Universal/Light Forwarder as well but still nothing can be searched in the index.

I created the inputs.conf and outputs.conf in the forwarder at etc/system/local with UDP/TCP port 514 input enabled

inputs.conf

[udp://514]
sourcetype = syslog

[tcp://514]

sourcetype = syslog

outputs.conf

[tcpout]
defaultGroup = default-autolb-group
indexAndForward = 0

[tcpout:default-autolb-group]
server = 192.168.8.2:9997

[tcpout-server://192.168.8.2:9997]

The indexer is enabled its receiver at port 9997.

kenchoi
Explorer

I just wonder how the indexer recognize the forwarded traffic as syslog messages, do I need to have some configuration in the indexer to perform this stuffs?

0 Karma

kenchoi
Explorer

Thanks, I have followed all steps in the manual

0 Karma

mkinsley_splunk
Splunk Employee
Splunk Employee

A heavy forwarder is a full version of Splunk. The thing that makes it a forwarder is turning on forwarding . Have you followed the steps here to turn on forwarding?

http://docs.splunk.com/Documentation/Splunk/6.1.1/Forwarding/Deployaheavyforwarder

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...