Developing for Splunk Enterprise

Syslog routing

szrobag
Explorer

Hello

I have few of devices logging to an index feeding Splunk via Syslog on 514/UDP.
I want to index and syslog-route logs coming in over port 514 from one IP address to a specific remote syslog server.

I have tried this config, dont know what's went wrong... :

props.conf

[host::x.x.x.x]
TRANSFORMS-fw-1 = redirect_1
TRANSFORMS-fw-2 = redirect_2

transforms.conf

[redirect_1]
REGEX = .
DEST_KEY = _TCP_ROUTING
FORMAT = default-autolb-group

[redirect_2]
REGEX = .
DEST_KEY = _SYSLOG_ROUTING
FORMAT = ( syslog server defined in outputs.conf )

I see indexed data, but not the syslog output...

Or... define the host in inputs.conf

[udp://x.x.x.x:514]
_SYSLOG_ROUTING = ( syslog server defined in outputs.conf )

thanks.

Tags (1)
0 Karma

jkat54
SplunkTrust
SplunkTrust

Change the FORMAT in transforms.conf to the outputs.conf stanza name. Not the server name:

[redirect_2]
REGEX = .
DEST_KEY = _SYSLOG_ROUTING
FORMAT = fw_test

0 Karma

szrobag
Explorer

No need to modify, i already use "FORMAT = fw_test" in config.

0 Karma

jkat54
SplunkTrust
SplunkTrust

What if you combine your transforms statement in props.conf:

TRANSFORMS-fw = redirect_1, redirect_2

0 Karma

szrobag
Explorer

I tried to add the stanzas in one transform rule first. Unfortunately the result was the same. I got indexed data, but no syslog out.
It is possible to debug this kind of failures with splunk log somehow ?

0 Karma

kmorris_splunk
Splunk Employee
Splunk Employee

Can you share how you defined the syslog server in outputs.conf? Scrubbed is fine.

0 Karma

szrobag
Explorer

Sure.

[syslog:fw_test]
disabled = false
server = 8.8.8.8:514
type = udp

0 Karma
.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!