Deployment Architecture

How to replicate data to the indexer *and* a syslog server

fsaporito
Explorer

Hello all,
I have a doubt in my routing configuration. I'm using an HF and I configured an app to perform some routing (but it's more like a replication) to a syslog server of a specific sourcetype.
This is my props.conf

[sourcetype::XmlWinEventLog]
TRANSFORMS-XMLWin = send_to_IDX, send_to_syslog

and here is my transforms.conf

[send_to_syslog]
REGEX = .
DEST_KEY = _SYSLOG_ROUTING
FORMAT = SGroup

[send_to_IDX]
REGEX = .
DEST_KEY = _TCP_ROUTING
FORMAT = idx_core

I have a locally (to the app) defined outputs.conf

[syslog]

[syslog:SGroup]
server = X.X.X.X:601
priority = <190>
type = tcp
timestampformat = "%d/%m/%Y %H:%M:%S"

and the idx_core is defined in a global outputs.conf
Now my doubt is how the transform will execute and tag the events. In my understanding, the order of transforms is important and so the REGEX filter in the specific transform stanza. So if I run first the transform "send_to_IDX", ALL the events (matched by REGEX=.) will be tagged to be sent to tcprouting idx_core, so when the transform "send_to_syslog" runs, no events will be routed to the syslog.
Is my assumption correct? If so, how can I do this double routing of that specific sourcetype?

thanks,
Fausto

0 Karma
1 Solution

jarizeloyola
Path Finder

Your configuration for the syslog routing looks correct. However, you can try to remove the _tcp_routing for the indexer , its already in [tcpout] defaultGroup of outputs.conf. By default, the forwarder will automatically sends all events to all specified target groups.

View solution in original post

jarizeloyola
Path Finder

Your configuration for the syslog routing looks correct. However, you can try to remove the _tcp_routing for the indexer , its already in [tcpout] defaultGroup of outputs.conf. By default, the forwarder will automatically sends all events to all specified target groups.

jarizeloyola
Path Finder

Your configuration for the syslog routing looks correct. However, you can try to remove the _tcp_routing for the indexer , its already in [tcpout] defaultGroup of outputs.conf. By default, the forwarder will automatically sends all events to all specified target groups.

fsaporito
Explorer

You are right, it works! Thanks for the input. Anyway, I noticed that if I do not specify a defaultGroup in the Syslog stanza, Splunk doesn't send anything to the Syslog server and this is very weird.

0 Karma

jarizeloyola
Path Finder

hello , can you mark it as an answer if it does help you ? .
Do you mean defaultGroup for the tcpout of indexers ?
I only use defaultGroup for the tcpout . For the syslog routing only transforms and syslog stanza in outputs.conf because its sends the data through a separate output processor.

You may want to check this reference
https://docs.splunk.com/Documentation/Splunk/6.0/Forwarding/Forwarddatatothird-partysystemsd#Syslog_...

0 Karma

fsaporito
Explorer

Hello, I mean the defaultGroup for syslog stanza. Looking into the Splunk docs, it seems this config is mandatory, and my tests agree with that.

0 Karma
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...