Getting Data In

Can a light forwarder forward on udp/syslog data?

Genti
Splunk Employee
Splunk Employee

I would like to deploy Light Forwarders at our remote locations to act as a syslog server. Can light forwarder be configured to forward data and receive data on TCP/UDP 514? Or is this only possible in a standard forwarder?

2 Solutions

Genti
Splunk Employee
Splunk Employee

You can do either of these two things:

1- You can send raw data to splunk indexer through both tcp and udp ports using your syslog. or 2 - You can send splunk data (from a forwarder) to the splunk indexer through ONLY TCP.

so, if you want to go with option 1, and keep your syslog and send data to splunk, you can use: ./splunk add tcp 50333 Listening for data on TCP port 50333. ./splunk add udp 50332 Listening for UDP input on port 50332.

Of course you can change the port to 514 as needed by syslog.

If you do not want to use syslog then you can use:

The listening needs to be done on the indexer: ./splunk enable listen 50123 ./splunk restart

The forwarding needs to be done from the forwarder: ./splunk add forward-server beefysup01:50123 ./splunk restart

Make sure though that you are monitoring the syslogs otherwise you will not see any data in your indexer.

Cheers,

.gz

View solution in original post

gkanapathy
Splunk Employee
Splunk Employee

A light forwarder can be configured to receive data on TCP or UDP ports by putting one (or both) of the following as appropriate into $SPLUNK_HOME/etc/apps/SplunkLightForwarder/local/default-mode.conf:

[pipeline:udp]
disabled = false

[pipeline:tcp]
disabled = false

It can forward syslog output if you further add:

[pipeline:indexerPipe]
disabled_processors= indexandforward, diskusage, signing, http-output-generic-processor, stream-output-processor 

But be warned that unless you are receiving and sending only syslog/UDP, the output will probably be broken in the wrong places, probably to the degree that it's useless if you're going from TCP to UDP. (due to the fundamental nature of a Light Forwarder not recognizing event breaks in continuous data). This isn't a problem when forwarding to a Splunk indexer via SplunkTCP because the indexer will expect to run parsing and line-breaking against the data, but this is not going to be true for a standard syslog receiver. Basically, just use a regular forwarder, or better, rsyslog or real syslog server instead.

View solution in original post

gkanapathy
Splunk Employee
Splunk Employee

A light forwarder can be configured to receive data on TCP or UDP ports by putting one (or both) of the following as appropriate into $SPLUNK_HOME/etc/apps/SplunkLightForwarder/local/default-mode.conf:

[pipeline:udp]
disabled = false

[pipeline:tcp]
disabled = false

It can forward syslog output if you further add:

[pipeline:indexerPipe]
disabled_processors= indexandforward, diskusage, signing, http-output-generic-processor, stream-output-processor 

But be warned that unless you are receiving and sending only syslog/UDP, the output will probably be broken in the wrong places, probably to the degree that it's useless if you're going from TCP to UDP. (due to the fundamental nature of a Light Forwarder not recognizing event breaks in continuous data). This isn't a problem when forwarding to a Splunk indexer via SplunkTCP because the indexer will expect to run parsing and line-breaking against the data, but this is not going to be true for a standard syslog receiver. Basically, just use a regular forwarder, or better, rsyslog or real syslog server instead.

Genti
Splunk Employee
Splunk Employee

You can do either of these two things:

1- You can send raw data to splunk indexer through both tcp and udp ports using your syslog. or 2 - You can send splunk data (from a forwarder) to the splunk indexer through ONLY TCP.

so, if you want to go with option 1, and keep your syslog and send data to splunk, you can use: ./splunk add tcp 50333 Listening for data on TCP port 50333. ./splunk add udp 50332 Listening for UDP input on port 50332.

Of course you can change the port to 514 as needed by syslog.

If you do not want to use syslog then you can use:

The listening needs to be done on the indexer: ./splunk enable listen 50123 ./splunk restart

The forwarding needs to be done from the forwarder: ./splunk add forward-server beefysup01:50123 ./splunk restart

Make sure though that you are monitoring the syslogs otherwise you will not see any data in your indexer.

Cheers,

.gz

Get Updates on the Splunk Community!

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Splunk Education Goes to Washington | Splunk GovSummit 2024

If you’re in the Washington, D.C. area, this is your opportunity to take your career and Splunk skills to the ...