Syslog routing

szrobag · ‎05-29-2018

Hello

I have few of devices logging to an index feeding Splunk via Syslog on 514/UDP.
I want to index and syslog-route logs coming in over port 514 from one IP address to a specific remote syslog server.

I have tried this config, dont know what's went wrong... :

props.conf

[host::x.x.x.x]
TRANSFORMS-fw-1 = redirect_1
TRANSFORMS-fw-2 = redirect_2

transforms.conf

[redirect_1]
REGEX = .
DEST_KEY = _TCP_ROUTING
FORMAT = default-autolb-group

[redirect_2]
REGEX = .
DEST_KEY = _SYSLOG_ROUTING
FORMAT = ( syslog server defined in outputs.conf )

I see indexed data, but not the syslog output...

Or... define the host in inputs.conf

[udp://x.x.x.x:514]
_SYSLOG_ROUTING = ( syslog server defined in outputs.conf )

thanks.

jkat54 · ‎05-29-2018

Change the FORMAT in transforms.conf to the outputs.conf stanza name. Not the server name:

[redirect_2]
REGEX = .
DEST_KEY = _SYSLOG_ROUTING
FORMAT = fw_test

szrobag · ‎05-29-2018

No need to modify, i already use "FORMAT = fw_test" in config.

jkat54 · ‎05-29-2018

What if you combine your transforms statement in props.conf:

TRANSFORMS-fw = redirect_1, redirect_2

szrobag · ‎05-29-2018

I tried to add the stanzas in one transform rule first. Unfortunately the result was the same. I got indexed data, but no syslog out.
It is possible to debug this kind of failures with splunk log somehow ?

kmorris_splunk · ‎05-29-2018

Can you share how you defined the syslog server in outputs.conf? Scrubbed is fine.

szrobag · ‎05-29-2018

Sure.

[syslog:fw_test]
disabled = false
server = 8.8.8.8:514
type = udp

Syslog routing

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Adoption of RUM and APM at Splunk