Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

universal forwarder on windows not forwarding SYSLOG

mikefoti
Communicator
‎09-07-2011 09:52 AM

So far I have been unable to get the universal forwarder to forward any events via syslog.

After initial install, using wireshark, I did see TCP being sent out. But since I only want to foward via syslog, using UDP port 514, I edited \local\outputs.conf so it includes only these lines:

[syslog]
defaultGroup = PrdIndexer_udp514

[syslog:PrdIndexer_udp514]
disabled = false
server = 123.456.789.123:514

I restarted the windows "SplunkForwader" service and still see no UDP/514 leaving the box.

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

araitz
Splunk Employee
Splunk Employee
‎09-08-2011 08:45 AM

A very quick search yielded the following answer:

http://splunk-base.splunk.com/answers/28991/universal-forwarder-send-syslog-to-a-thrid-party

Reply
Solved! Jump to solution

araitz
Splunk Employee
Splunk Employee
‎09-08-2011 01:50 PM

I think you are overlooking this:

http://splunk-base.splunk.com/answers/28991/universal-forwarder-send-syslog-to-a-thrid-party/29181

"Universal Forwarders do not Forward Syslog."

0 Karma
Reply
Solved! Jump to solution

mikefoti
Communicator
‎09-08-2011 11:00 AM

Thanks araitz... I re-read that link and do see one thing I overlooked before... but not sure if its significant.

This statement...
Note: If you have defined multiple event types for syslog data, the event type names must all include the string "syslog".

I believe the only time might have affected "event types" would have been during the initial install when I selected to monitor/forward events from the local windows System eventlog. So, do I need to re-specify what needs monitored and forwarded so that the syslog forwarding engine becomes aware?

0 Karma
Reply
Solved! Jump to solution

mikefoti
Communicator
‎09-08-2011 07:46 AM

Only 8 views and 0 answers!?!?!

I
m not sure if my question is too difficult, lacks enough detail or maybe has been asked/answered too many times.

Anybody have any advice?

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...