We have a relatively small Splunk implementation - just 1 standalone server. We're downloading Cisco Umbrella logs from the Cisco-managed S3 Bucket for reporting purposes.
We now have the need to also forward those umbrella logs to a syslog server in addition to leaving them on the standalone for reporting. Is there a way to configure a standalone to forward to a syslog server?
Please read this https://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Forwarddatatothird-partysystemsd#Sysl... it can be configured on any Splunk instance. Just a word of caution: if you configure forwarding to a third party receiver and the receiving end goes down or is not available you will get in trouble on your Splunk instance.
Hope this helps ...
With this standalone instance, I have multiple apps receiving data. I only want 1 index to fwd to an external syslog server. Is that possible without a heavy forwarder?