Solved: Forward logs to third party and no duplicates in s...

Anto · ‎02-16-2021

I want to forward logs to third party system (syslog) without index these data into splunk but i can't accomplish it, help.

On my heavy forwarder i set up outputs.conf, transforms.conf, props.conf as follow:

outuputs.conf

[syslog:my_syslog_group]
server = <IP>:PORT

transforms.conf

[send_to_syslog]
REGEX = MY REGEX
DEST_KEY = _SYSLOG_ROUTING
FORMAT = my_syslog_group

[not_send_to_syslog]
REGEX = MY REGEX
DEST_KEY =queue
FORMAT =nullQueue

props.conf

[source::MY_SOURCE]
TRANSFORMS-t0=send_to_syslog,not_send_to_syslog

In this way logs don't forward to my syslog, they will be just deleted and not indexed. Removing [not_send_to_syslog] from props and transforms data will be indexed on splunk and also forwarded to syslog.

How can i achieve my problem, sending data to syslog and not indexing them on splunk? Thanks in advantage to those who will help me.

Anto · ‎02-17-2021

I find out the solution. In the transform.conf just replace DEST_KEY as follow:

[not_send_to_syslog]
REGEX = MY REGEX
DEST_KEY =_TCP_ROUTING
FORMAT =nullQueue

All done now. thanks to all

View solution in original post

Anto · ‎02-17-2021

I find out the solution. In the transform.conf just replace DEST_KEY as follow:

[not_send_to_syslog]
REGEX = MY REGEX
DEST_KEY =_TCP_ROUTING
FORMAT =nullQueue

All done now. thanks to all

scelikok · ‎02-17-2021

Hi @Anto,

Can you try changing the order of transforms in props.conf

[source::MY_SOURCE]
TRANSFORMS-t0=not_send_to_syslog, send_to_syslog

If this reply helps you an upvote and "Accept as Solution" is appreciated.

Anto · ‎02-17-2021

Thank you for your answer but it didn't help. Logs aren't forwarded to syslog and they entered in nullqueue so i don't saw them also in splunk. Any other ideas?

richgalloway · ‎02-16-2021

What's the point of sending data to Splunk if it won't be indexed? Send the syslog data directly to the syslog server.

---
If this reply helps you, Karma would be appreciated.

anilkapoor123 · ‎07-14-2023

Hi ,

plese help , how can i send data directly to remote system , or syslog without indexing.

please provide the config settings for inputs.conf, outputs.conf, props.conf , transforms.conf

you help is appreciated.

thanks

PickleRick · ‎07-14-2023

1. This thread is over two years old. It's usually better to start a new one instead of digging up such antiquities. Possibly linking to the old one for reference what you already found.

2. You already had a solution in this thread.

3. If you don't want to use the data in Splunk in any way why send it there in the first place? It seems to make more sense to send it directly to the destination system.

anilkapoor123 · ‎07-18-2023

@PickleRick

without forwarding data to splunk heavy forwarder i cannot send to syslog server

do you have any alernative for this like to

forward ftop logs from window directory to syslog server without using splunk

PickleRick · ‎07-18-2023

If you just want to pick up log files from local directory on windows computer and send the events from them to a syslog destination, use a syslog daemon for windows (Like NXLog, or Kiwi).

richgalloway · ‎07-14-2023

This thread is two years old with an accepted answer. For better chances at getting an answer, please post a new question.

---
If this reply helps you, Karma would be appreciated.

Anto · ‎02-16-2021

Because i don't need them for the analysis in Splunk but i want to preserve the logs without exceed my license just for 2 GB. So you are telling me that this isn't possible to do directly from splunk? Thank you for your reply, i want just to understand

Forward logs to third party and no duplicates in splunk

heavy forwarder

index

props.conf

source

syslog

transforms.conf

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

Alerting Best Practices: How to Create Good Detectors

Discover Powerful New Features in Splunk Cloud Platform: Enhanced Analytics, ...