Getting Data In

Can a light forwarder forward on udp/syslog data?

Genti
Splunk Employee
Splunk Employee

I would like to deploy Light Forwarders at our remote locations to act as a syslog server. Can light forwarder be configured to forward data and receive data on TCP/UDP 514? Or is this only possible in a standard forwarder?

2 Solutions

Genti
Splunk Employee
Splunk Employee

You can do either of these two things:

1- You can send raw data to splunk indexer through both tcp and udp ports using your syslog. or 2 - You can send splunk data (from a forwarder) to the splunk indexer through ONLY TCP.

so, if you want to go with option 1, and keep your syslog and send data to splunk, you can use: ./splunk add tcp 50333 Listening for data on TCP port 50333. ./splunk add udp 50332 Listening for UDP input on port 50332.

Of course you can change the port to 514 as needed by syslog.

If you do not want to use syslog then you can use:

The listening needs to be done on the indexer: ./splunk enable listen 50123 ./splunk restart

The forwarding needs to be done from the forwarder: ./splunk add forward-server beefysup01:50123 ./splunk restart

Make sure though that you are monitoring the syslogs otherwise you will not see any data in your indexer.

Cheers,

.gz

View solution in original post

gkanapathy
Splunk Employee
Splunk Employee

A light forwarder can be configured to receive data on TCP or UDP ports by putting one (or both) of the following as appropriate into $SPLUNK_HOME/etc/apps/SplunkLightForwarder/local/default-mode.conf:

[pipeline:udp]
disabled = false

[pipeline:tcp]
disabled = false

It can forward syslog output if you further add:

[pipeline:indexerPipe]
disabled_processors= indexandforward, diskusage, signing, http-output-generic-processor, stream-output-processor 

But be warned that unless you are receiving and sending only syslog/UDP, the output will probably be broken in the wrong places, probably to the degree that it's useless if you're going from TCP to UDP. (due to the fundamental nature of a Light Forwarder not recognizing event breaks in continuous data). This isn't a problem when forwarding to a Splunk indexer via SplunkTCP because the indexer will expect to run parsing and line-breaking against the data, but this is not going to be true for a standard syslog receiver. Basically, just use a regular forwarder, or better, rsyslog or real syslog server instead.

View solution in original post

gkanapathy
Splunk Employee
Splunk Employee

A light forwarder can be configured to receive data on TCP or UDP ports by putting one (or both) of the following as appropriate into $SPLUNK_HOME/etc/apps/SplunkLightForwarder/local/default-mode.conf:

[pipeline:udp]
disabled = false

[pipeline:tcp]
disabled = false

It can forward syslog output if you further add:

[pipeline:indexerPipe]
disabled_processors= indexandforward, diskusage, signing, http-output-generic-processor, stream-output-processor 

But be warned that unless you are receiving and sending only syslog/UDP, the output will probably be broken in the wrong places, probably to the degree that it's useless if you're going from TCP to UDP. (due to the fundamental nature of a Light Forwarder not recognizing event breaks in continuous data). This isn't a problem when forwarding to a Splunk indexer via SplunkTCP because the indexer will expect to run parsing and line-breaking against the data, but this is not going to be true for a standard syslog receiver. Basically, just use a regular forwarder, or better, rsyslog or real syslog server instead.

Genti
Splunk Employee
Splunk Employee

You can do either of these two things:

1- You can send raw data to splunk indexer through both tcp and udp ports using your syslog. or 2 - You can send splunk data (from a forwarder) to the splunk indexer through ONLY TCP.

so, if you want to go with option 1, and keep your syslog and send data to splunk, you can use: ./splunk add tcp 50333 Listening for data on TCP port 50333. ./splunk add udp 50332 Listening for UDP input on port 50332.

Of course you can change the port to 514 as needed by syslog.

If you do not want to use syslog then you can use:

The listening needs to be done on the indexer: ./splunk enable listen 50123 ./splunk restart

The forwarding needs to be done from the forwarder: ./splunk add forward-server beefysup01:50123 ./splunk restart

Make sure though that you are monitoring the syslogs otherwise you will not see any data in your indexer.

Cheers,

.gz

Get Updates on the Splunk Community!

Infographic provides the TL;DR for the 2024 Splunk Career Impact Report

We’ve been buzzing with excitement about the recent validation of Splunk Education! The 2024 Splunk Career ...

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...