Deployment Architecture

How to replicate data to the indexer *and* a syslog server

fsaporito
Explorer

Hello all,
I have a doubt in my routing configuration. I'm using an HF and I configured an app to perform some routing (but it's more like a replication) to a syslog server of a specific sourcetype.
This is my props.conf

[sourcetype::XmlWinEventLog]
TRANSFORMS-XMLWin = send_to_IDX, send_to_syslog

and here is my transforms.conf

[send_to_syslog]
REGEX = .
DEST_KEY = _SYSLOG_ROUTING
FORMAT = SGroup

[send_to_IDX]
REGEX = .
DEST_KEY = _TCP_ROUTING
FORMAT = idx_core

I have a locally (to the app) defined outputs.conf

[syslog]

[syslog:SGroup]
server = X.X.X.X:601
priority = <190>
type = tcp
timestampformat = "%d/%m/%Y %H:%M:%S"

and the idx_core is defined in a global outputs.conf
Now my doubt is how the transform will execute and tag the events. In my understanding, the order of transforms is important and so the REGEX filter in the specific transform stanza. So if I run first the transform "send_to_IDX", ALL the events (matched by REGEX=.) will be tagged to be sent to tcprouting idx_core, so when the transform "send_to_syslog" runs, no events will be routed to the syslog.
Is my assumption correct? If so, how can I do this double routing of that specific sourcetype?

thanks,
Fausto

0 Karma
1 Solution

jarizeloyola
Path Finder

Your configuration for the syslog routing looks correct. However, you can try to remove the _tcp_routing for the indexer , its already in [tcpout] defaultGroup of outputs.conf. By default, the forwarder will automatically sends all events to all specified target groups.

View solution in original post

jarizeloyola
Path Finder

Your configuration for the syslog routing looks correct. However, you can try to remove the _tcp_routing for the indexer , its already in [tcpout] defaultGroup of outputs.conf. By default, the forwarder will automatically sends all events to all specified target groups.

View solution in original post

jarizeloyola
Path Finder

Your configuration for the syslog routing looks correct. However, you can try to remove the _tcp_routing for the indexer , its already in [tcpout] defaultGroup of outputs.conf. By default, the forwarder will automatically sends all events to all specified target groups.

fsaporito
Explorer

You are right, it works! Thanks for the input. Anyway, I noticed that if I do not specify a defaultGroup in the Syslog stanza, Splunk doesn't send anything to the Syslog server and this is very weird.

0 Karma

jarizeloyola
Path Finder

hello , can you mark it as an answer if it does help you ? .
Do you mean defaultGroup for the tcpout of indexers ?
I only use defaultGroup for the tcpout . For the syslog routing only transforms and syslog stanza in outputs.conf because its sends the data through a separate output processor.

You may want to check this reference
https://docs.splunk.com/Documentation/Splunk/6.0/Forwarding/Forwarddatatothird-partysystemsd#Syslog_...

0 Karma

fsaporito
Explorer

Hello, I mean the defaultGroup for syslog stanza. Looking into the Splunk docs, it seems this config is mandatory, and my tests agree with that.

0 Karma
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!