Getting Data In

Forward logs to third party and no duplicates in splunk

Anto
Explorer

I want to forward logs to third party system (syslog) without index these data into splunk but i can't accomplish it, help.

On my heavy forwarder i set up outputs.conf, transforms.conf, props.conf as follow:

 

outuputs.conf

[syslog:my_syslog_group]
server = <IP>:PORT

 

transforms.conf

[send_to_syslog]
REGEX = MY REGEX
DEST_KEY = _SYSLOG_ROUTING
FORMAT = my_syslog_group

[not_send_to_syslog]
REGEX = MY REGEX
DEST_KEY =queue
FORMAT =nullQueue

 

 

props.conf

[source::MY_SOURCE]
TRANSFORMS-t0=send_to_syslog,not_send_to_syslog


In this way logs don't forward to my syslog, they will be just deleted and not indexed. Removing [not_send_to_syslog] from props and transforms data will be indexed on splunk and also forwarded to syslog.

How can i achieve my problem, sending data to syslog and not indexing them on splunk? Thanks in advantage to those who will help me.

0 Karma
1 Solution

Anto
Explorer

I find out the solution. In the transform.conf just replace DEST_KEY as follow:

[not_send_to_syslog]
REGEX = MY REGEX
DEST_KEY =_TCP_ROUTING
FORMAT =nullQueue

 

All done now. thanks to all

 

View solution in original post

Anto
Explorer

I find out the solution. In the transform.conf just replace DEST_KEY as follow:

[not_send_to_syslog]
REGEX = MY REGEX
DEST_KEY =_TCP_ROUTING
FORMAT =nullQueue

 

All done now. thanks to all

 

scelikok
SplunkTrust
SplunkTrust

Hi @Anto,

Can you try changing the order of transforms in props.conf

[source::MY_SOURCE]
TRANSFORMS-t0=not_send_to_syslog, send_to_syslog

 

If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma

Anto
Explorer

Thank you for your answer but it didn't help. Logs aren't forwarded to syslog and they entered in nullqueue so i don't saw them also in splunk. Any other ideas?

0 Karma

richgalloway
SplunkTrust
SplunkTrust

What's the point of sending data to Splunk if it won't be indexed?  Send the syslog data directly to the syslog server.

---
If this reply helps you, Karma would be appreciated.
0 Karma

anilkapoor123
Explorer

Hi ,

plese help , how can i send data directly to  remote system , or syslog without indexing.

please provide the config settings for inputs.conf, outputs.conf, props.conf , transforms.conf

you help is appreciated.

thanks

0 Karma

PickleRick
SplunkTrust
SplunkTrust

1. This thread is over two years old. It's usually better to start a new one instead of digging up such antiquities. Possibly linking to the old one for reference what you already found.

2. You already had a solution in this thread.

3. If you don't want to use the data in Splunk in any way why send it there in the first place? It seems to make more sense to send it directly to the destination system.

0 Karma

anilkapoor123
Explorer

@PickleRick 

without forwarding data to splunk heavy forwarder i cannot send to syslog server 

do you have any alernative for this like to 

forward ftop logs from window directory to syslog server without using splunk 

0 Karma

PickleRick
SplunkTrust
SplunkTrust

If you just want to pick up log files from local directory on windows computer and send the events from them to a syslog destination, use a syslog daemon for windows (Like NXLog, or Kiwi).

0 Karma

richgalloway
SplunkTrust
SplunkTrust

This thread is two years old with an accepted answer.  For better chances at getting an answer, please post a new question.

---
If this reply helps you, Karma would be appreciated.

Anto
Explorer

Because i don't need them for the analysis in Splunk but i want to preserve the logs  without exceed my license just for 2 GB. So you are telling me that this isn't possible to do directly from splunk? Thank you for your reply, i want just to understand

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...