Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to replicate data to the indexer *and* a syslog server

fsaporito
Explorer
‎01-10-2020 06:31 AM

Hello all,
I have a doubt in my routing configuration. I'm using an HF and I configured an app to perform some routing (but it's more like a replication) to a syslog server of a specific sourcetype.
This is my props.conf

[sourcetype::XmlWinEventLog]
TRANSFORMS-XMLWin = send_to_IDX, send_to_syslog

and here is my transforms.conf

[send_to_syslog]
REGEX = .
DEST_KEY = _SYSLOG_ROUTING
FORMAT = SGroup

[send_to_IDX]
REGEX = .
DEST_KEY = _TCP_ROUTING
FORMAT = idx_core

I have a locally (to the app) defined outputs.conf 

[syslog]

[syslog:SGroup]
server = X.X.X.X:601
priority = <190>
type = tcp
timestampformat = "%d/%m/%Y %H:%M:%S"

and the idx_core is defined in a global outputs.conf
Now my doubt is how the transform will execute and tag the events. In my understanding, the order of transforms is important and so the REGEX filter in the specific transform stanza. So if I run first the transform "send_to_IDX", ALL the events (matched by REGEX=.) will be tagged to be sent to tcprouting idx_core, so when the transform "send_to_syslog" runs, no events will be routed to the syslog.
Is my assumption correct? If so, how can I do this double routing of that specific sourcetype?

thanks,
Fausto

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jarizeloyola
Path Finder
‎01-10-2020 02:39 PM

Your configuration for the syslog routing looks correct. However, you can try to remove the _tcp_routing for the indexer , its already in [tcpout] defaultGroup of outputs.conf. By default, the forwarder will automatically sends all events to all specified target groups.

View solution in original post

Reply
Solved! Jump to solution
Solution

jarizeloyola
Path Finder
‎01-10-2020 02:39 PM

Your configuration for the syslog routing looks correct. However, you can try to remove the _tcp_routing for the indexer , its already in [tcpout] defaultGroup of outputs.conf. By default, the forwarder will automatically sends all events to all specified target groups.

View solution in original post

Reply
Solved! Jump to solution

jarizeloyola
Path Finder
‎01-10-2020 06:54 AM

Your configuration for the syslog routing looks correct. However, you can try to remove the _tcp_routing for the indexer , its already in [tcpout] defaultGroup of outputs.conf. By default, the forwarder will automatically sends all events to all specified target groups.

Reply
Solved! Jump to solution

fsaporito
Explorer
‎01-10-2020 10:23 AM

You are right, it works! Thanks for the input. Anyway, I noticed that if I do not specify a defaultGroup in the Syslog stanza, Splunk doesn't send anything to the Syslog server and this is very weird.

0 Karma
Reply
Solved! Jump to solution

jarizeloyola
Path Finder
‎01-10-2020 02:26 PM

hello , can you mark it as an answer if it does help you ? .
Do you mean defaultGroup for the tcpout of indexers ?
I only use defaultGroup for the tcpout . For the syslog routing only transforms and syslog stanza in outputs.conf because its sends the data through a separate output processor.

You may want to check this reference
https://docs.splunk.com/Documentation/Splunk/6.0/Forwarding/Forwarddatatothird-partysystemsd#Syslog_...

0 Karma
Reply
Solved! Jump to solution

fsaporito
Explorer
‎01-12-2020 10:53 PM

Hello, I mean the defaultGroup for syslog stanza. Looking into the Splunk docs, it seems this config is mandatory, and my tests agree with that.

0 Karma
Reply
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!

Get Updates on the Splunk Community!