Getting Data In

Do I configure outputs.conf on our forwarder or indexer to forward data to a third-party system?

Path Finder

Hello

I am using a heavy forwarder to forward data to an INDEXER which is successful. I now need to forward all the data to a third-party system. According to the document, I have prepared my outputs.conf to forward all the data, but am confused whether I use my outputs.conf on the forwarder, or if I need to specify it on my INDEXER.

My outputs.conf looks like:

[tcpout:forwarddata]
server = XXXXXXXXXX:7997
sendCookedData = false

And my another question is, do I need to use any specific software on the receiver or a Linux machine can receive the data if the port is open??

Thanks

New Member

Sorry to dig out old thread, but what if data is gathered also on the local indexer system, which is not a single forwarder? That means that I need to configure those bits on indexer only. That means it's not technically possible?

0 Karma

Splunk Employee
Splunk Employee

So I assume that you need to forward the data to the 3rd party system via the syslog protocol as I am not aware of any other system that understand the Splunk forwarder protocol.

It's pretty simple. On the heavy forwarder you will need some additional settings in props.conf, transforms.conf and outputs.conf.

In props.conf (default will apply to all sources):

[default]
TRANSFORMS-routing=syslogRouting

In transforms.conf (match every event and set the syslog routing key)

[syslogRouting]
REGEX=.
DEST_KEY=_SYSLOG_ROUTING
FORMAT=syslogGroup

In outputs.conf (use the syslogGroup to point to your syslog server and port)

[syslog:syslogGroup]
server = xx.xx.xx.xx:514
0 Karma

Engager

Hello

After this configuration, we receive a large number of audit logs on our syslog server, but we do not need these own audit logs, we want to forward only the specified logs that we have collected to the syslog server, how do we filter out these own audit logs?

Specific properties:

  • host = KCS-PC
  • source = vmware_sdwan_event://vco test opt
  • sourcetype = vco_event_log

Thanks

0 Karma

Splunk Employee
Splunk Employee

If you send it as raw TCP you will need something to listen on that port and do something with the data steam. You would need some process or script to handle it. If you've got that part covered, you should be ok.

If, on the other hand, you send it as syslog on port 514 or some other agreed upon port, you could use something like syslog-ng or rsyslog to listen for it and then take action on it (e.g., write to disk or forward elsewhere).

0 Karma

Influencer

You would do this at the forwarder. Take a look at this doc: http://docs.splunk.com/Documentation/Splunk/6.4.2/Forwarding/Forwarddatatothird-partysystemsd

0 Karma

Path Finder

can you please answer to my question 2 ?? o I need to use any specific software on the receiver or a Linux machine can receive the data if the port is open

0 Karma

Influencer

You can send in syslog format and receive with syslog-ng or rsyslog.

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!