I configured universal forwarder to transfer raw data to Splunk indexer and 3rd-party syslog server by following configurations.
#outputs.conf
[tcpout]
defaultGroup = default-autolb-group, sub-group
[tcpout:default-autolb-group]
server = splunk_server:9997
[tcpout:sub-group]
server = syslog_server:514
sendCookedData = false
And I found 3rd-party syslog server receiving following messages from UF continuously.
Mar 6 14:20:55 ForwarderInfo build=196940 version=6.0.2 os=Linux arch=x86_64 hostname=splk guid=XX-XX-46F4-BF90-XXXXXXXX fwdType=uf ssl=false lastIndexer=172.XX.XX.XXX:9997
Mar 6 14:21:25 ForwarderInfo build=196940 version=6.0.2 os=Linux arch=x86_64 hostname=splk guid=XX-XX-46F4-BF90-XXXXXXXX fwdType=uf ssl=false lastIndexer=172.XX.XX.XXX:9997
I think these messages mean heatbeat from UF to syslog server.
However, README of outputs.conf, outputs.conf.spec says
heartbeatFrequency = <integer>
* How often (in seconds) to send a heartbeat packet to the receiving server.
* Heartbeats are only sent if sendCookedData=true.
* Defaults to 30 seconds.
Now I have a contradiction because I set "sendCookedData=false".
What do that message mean ?
And are there any way to stop sending that messages ?
In the case of using UF, we can transfer raw data to 3rd party syslog server.
But that includes not only event data but also splunkd process logs (internal logs).
Furthermore, when UF has multiple tcpouts, heart beat from UF to recievers is always on.
This may be because of TCP connetcions (sending data precisely).
But when UF has just only single tcpout, heat beat is off.
So the reciever does not catch any heart beats.
Adding this to the the output seem to stop the heartbeat data for me
heartbeatFrequency=0
eg.
[tcpout:something]
heartbeatFrequency=0
In the case of using UF, we can transfer raw data to 3rd party syslog server.
But that includes not only event data but also splunkd process logs (internal logs).
Furthermore, when UF has multiple tcpouts, heart beat from UF to recievers is always on.
This may be because of TCP connetcions (sending data precisely).
But when UF has just only single tcpout, heat beat is off.
So the reciever does not catch any heart beats.
Hi Sunrise,
You might want to try setting the syslog forwarding stanza as described here:
in other words, try making the outputs.conf look like this:
[tcpout]
defaultGroup = default-autolb-group, sub-group
[tcpout:default-autolb-group]
server = splunk_server:9997
[syslog:sub-group]
server = syslog_server:514
sendCookedData = false
I found that heat beats are "true" when UF transfer data to multiple tcpout. But when single tcpout, heat beats are "false".
Hi Rob, thank you for your answer.
But I could not use "syslog output" in Universal Forwarer.
README also says that
"The syslog output processor is not available for universal or light forwarders."
I actually tried "_SYSLOG_ROUTING" in heavy forwarder to transfer the data to 3rd-party syslog server. In which, the above messages are not existed. So is it bugs of splunk ?