I would like to deploy Light Forwarders at our remote locations to act as a syslog server. Can light forwarder be configured to forward data and receive data on TCP/UDP 514? Or is this only possible in a standard forwarder?
You can do either of these two things:
1- You can send raw data to splunk indexer through both tcp and udp ports using your syslog. or 2 - You can send splunk data (from a forwarder) to the splunk indexer through ONLY TCP.
so, if you want to go with option 1, and keep your syslog and send data to splunk, you can use: ./splunk add tcp 50333 Listening for data on TCP port 50333. ./splunk add udp 50332 Listening for UDP input on port 50332.
Of course you can change the port to 514 as needed by syslog.
If you do not want to use syslog then you can use:
The listening needs to be done on the indexer: ./splunk enable listen 50123 ./splunk restart
The forwarding needs to be done from the forwarder: ./splunk add forward-server beefysup01:50123 ./splunk restart
Make sure though that you are monitoring the syslogs otherwise you will not see any data in your indexer.
Cheers,
.gz
A light forwarder can be configured to receive data on TCP or UDP ports by putting one (or both) of the following as appropriate into $SPLUNK_HOME/etc/apps/SplunkLightForwarder/local/default-mode.conf
:
[pipeline:udp]
disabled = false
[pipeline:tcp]
disabled = false
It can forward syslog output if you further add:
[pipeline:indexerPipe]
disabled_processors= indexandforward, diskusage, signing, http-output-generic-processor, stream-output-processor
But be warned that unless you are receiving and sending only syslog/UDP, the output will probably be broken in the wrong places, probably to the degree that it's useless if you're going from TCP to UDP. (due to the fundamental nature of a Light Forwarder not recognizing event breaks in continuous data). This isn't a problem when forwarding to a Splunk indexer via SplunkTCP because the indexer will expect to run parsing and line-breaking against the data, but this is not going to be true for a standard syslog receiver. Basically, just use a regular forwarder, or better, rsyslog or real syslog server instead.
A light forwarder can be configured to receive data on TCP or UDP ports by putting one (or both) of the following as appropriate into $SPLUNK_HOME/etc/apps/SplunkLightForwarder/local/default-mode.conf
:
[pipeline:udp]
disabled = false
[pipeline:tcp]
disabled = false
It can forward syslog output if you further add:
[pipeline:indexerPipe]
disabled_processors= indexandforward, diskusage, signing, http-output-generic-processor, stream-output-processor
But be warned that unless you are receiving and sending only syslog/UDP, the output will probably be broken in the wrong places, probably to the degree that it's useless if you're going from TCP to UDP. (due to the fundamental nature of a Light Forwarder not recognizing event breaks in continuous data). This isn't a problem when forwarding to a Splunk indexer via SplunkTCP because the indexer will expect to run parsing and line-breaking against the data, but this is not going to be true for a standard syslog receiver. Basically, just use a regular forwarder, or better, rsyslog or real syslog server instead.
You can do either of these two things:
1- You can send raw data to splunk indexer through both tcp and udp ports using your syslog. or 2 - You can send splunk data (from a forwarder) to the splunk indexer through ONLY TCP.
so, if you want to go with option 1, and keep your syslog and send data to splunk, you can use: ./splunk add tcp 50333 Listening for data on TCP port 50333. ./splunk add udp 50332 Listening for UDP input on port 50332.
Of course you can change the port to 514 as needed by syslog.
If you do not want to use syslog then you can use:
The listening needs to be done on the indexer: ./splunk enable listen 50123 ./splunk restart
The forwarding needs to be done from the forwarder: ./splunk add forward-server beefysup01:50123 ./splunk restart
Make sure though that you are monitoring the syslogs otherwise you will not see any data in your indexer.
Cheers,
.gz