Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Can Heavy Forwarder write syslog data locally ?

dm1
Contributor
‎03-02-2022 06:52 PM

I have configured Heavy Forwarder to collect and forward syslog data to our Splunk Indexers. We purposely don't wish to use syslog server for the log collection due to other reasons.

Now we also have a requirement to forward the syslog data to Azure log analytics. Unfortunately, with log analytics, we must use log analytics agent (which is very similar to Splunk UF) to collect logs locally on the HF and forward to log analytics. I haven't found a way to forward logs from HF to log analytics directly. 

Hence, just wondering if someone can advise if its possible to configure HF to write logs locally, just exactly how syslog does (like rsyslog) ?

Labels (1)
Labels
Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

PickleRick
SplunkTrust
SplunkTrust
‎03-03-2022 12:23 AM

No. You can only use outputs listed on https://docs.splunk.com/Documentation/Splunk/8.2.5/Admin/Outputsconf

So if your have a very strong need to pass the date by your forwarder first and write it to local file afterwards, you'd have to use local syslog daemon and forward the data to it.

So you'd be better off doing it the other way around after all - collecting data with local syslog and forwarding it to splunk forwarder - it's more obvious this way.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

venky1544
Builder
‎03-03-2022 04:53 AM

Hi @dm1 

I Don't Think you can configure it in HF as an alternate you can call the rest api . you could write a local powershell script or use curl with crontab to export the data via rest api into a file and then use the log analytics agent to read that file 

 

 

0 Karma
Reply
Solved! Jump to solution
Solution

PickleRick
SplunkTrust
SplunkTrust
‎03-03-2022 12:23 AM

No. You can only use outputs listed on https://docs.splunk.com/Documentation/Splunk/8.2.5/Admin/Outputsconf

So if your have a very strong need to pass the date by your forwarder first and write it to local file afterwards, you'd have to use local syslog daemon and forward the data to it.

So you'd be better off doing it the other way around after all - collecting data with local syslog and forwarding it to splunk forwarder - it's more obvious this way.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...