Do I configure outputs.conf on our forwarder or in...

saifuddin9122 · ‎07-27-2016

Hello

I am using a heavy forwarder to forward data to an INDEXER which is successful. I now need to forward all the data to a third-party system. According to the document, I have prepared my outputs.conf to forward all the data, but am confused whether I use my outputs.conf on the forwarder, or if I need to specify it on my INDEXER.

My outputs.conf looks like:

[tcpout:forwarddata]
server = XXXXXXXXXX:7997
sendCookedData = false

And my another question is, do I need to use any specific software on the receiver or a Linux machine can receive the data if the port is open??

Thanks

rem8 · ‎05-12-2020

Sorry to dig out old thread, but what if data is gathered also on the local indexer system, which is not a single forwarder? That means that I need to configure those bits on indexer only. That means it's not technically possible?

sjohnson_splunk · ‎08-01-2016

So I assume that you need to forward the data to the 3rd party system via the syslog protocol as I am not aware of any other system that understand the Splunk forwarder protocol.

It's pretty simple. On the heavy forwarder you will need some additional settings in props.conf, transforms.conf and outputs.conf.

In props.conf (default will apply to all sources):

[default]
TRANSFORMS-routing=syslogRouting

In transforms.conf (match every event and set the syslog routing key)

[syslogRouting]
REGEX=.
DEST_KEY=_SYSLOG_ROUTING
FORMAT=syslogGroup

In outputs.conf (use the syslogGroup to point to your syslog server and port)

[syslog:syslogGroup]
server = xx.xx.xx.xx:514

eorMsisseL · ‎11-22-2020

Hello

After this configuration, we receive a large number of audit logs on our syslog server, but we do not need these own audit logs, we want to forward only the specified logs that we have collected to the syslog server, how do we filter out these own audit logs?

Specific properties:

host = KCS-PC
source = vmware_sdwan_event://vco test opt
sourcetype = vco_event_log

Thanks

adauria_splunk · ‎07-28-2016

If you send it as raw TCP you will need something to listen on that port and do something with the data steam. You would need some process or script to handle it. If you've got that part covered, you should be ok.

If, on the other hand, you send it as syslog on port 514 or some other agreed upon port, you could use something like syslog-ng or rsyslog to listen for it and then take action on it (e.g., write to disk or forward elsewhere).

masonmorales · ‎07-27-2016

You would do this at the forwarder. Take a look at this doc: http://docs.splunk.com/Documentation/Splunk/6.4.2/Forwarding/Forwarddatatothird-partysystemsd

saifuddin9122 · ‎07-27-2016

can you please answer to my question 2 ?? o I need to use any specific software on the receiver or a Linux machine can receive the data if the port is open

masonmorales · ‎08-01-2016

You can send in syslog format and receive with syslog-ng or rsyslog.

Do I configure outputs.conf on our forwarder or indexer to forward data to a third-party system?

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

Monitoring Amazon Elastic Kubernetes Service (EKS)