Getting Data In
Highlighted

Can you forward indexed information to a syslog server

Explorer

Hi All,

I was wondering if it's possible for the below:

Server A - Contains the Event logs... i.e a domain controller Server B - Splunk Pulls all the Event Logs from Server A and Filters them, then Forwards them to Server C (where splunk is running in a recieve mode) Server C - Receives the filtered logs from Server B.

Now... for the tricky bit... I would then like to refilter with a different set of criteria on server C and then forward anything that matches to a Syslog Server that our Administrators use....

So far I haven't been able to accomplish this... and I'm not sure whether that's because it can't be done as the logs wheren't received in a syslog format form Server A, or more likely because I'm stuffing up the config on Server C....

I am trying to use the below....

-----props.conf-----

[wmi]
TRANSFORMS-wmi = Syslog

----transforms.conf----

[Syslog]
REGEX = (?msi)^EventCode=(632)
DEST_KEY = _SYSLOG_ROUTING
FORMAT = ORION

----outputs.conf----

[syslog]
defaultGroup = nullGroup
indexAndForward = 1
disabled = false

[syslog:ORION]
server = 1.1.1.1:514


If anyone can point me in the right direction it would be appreciated!

Cheers,

David.

0 Karma
Highlighted

Re: Can you forward indexed information to a syslog server

Communicator

So basically you have the logs on Server C, where Splunk is also running, and you want Splunk to forward those logs to another server? I'm not aware of Splunk having this capability to forward to another non Splunk server. If you're using linux you could check out syslog-ng or rsyslogd.

View solution in original post

0 Karma
Highlighted

Re: Can you forward indexed information to a syslog server

Splunk Employee
Splunk Employee

Splunk forwarder LWF and UF) can only forward as splunk format

Splunk indexer can forward events as :
- syslog (udp or tcp)
- tcp raw
- splunk format (to another splunk server)
see http://docs.splunk.com/Documentation/Splunk/4.3/Deploy/Forwarddatatothird-partysystemsd

If you want to setup parsing rules (like filtering) it is only possible on an indexer or an heavy forwarder.
So if in your case, the intermediate server can be an heavy forwarder, and filter the events before forwarding them.
see http://docs.splunk.com/Documentation/Splunk/4.3/Deploy/Routeandfilterdatad