Getting Data In

Forwarding data from Heavy forwarder to syslog server exclude audit.log


We're trying to do:

Collect Event Log by REST input on Splunk Enterprise 8.1 --> HF (v8.1 on Windows) --> external Syslog destination.

The logs forwarded from splunk are available on the syslog server and contain the logs we need, but they also contain many audit logs from splunk itself.
No matter how much we modify output.conf we cannot change this.
What do we need to configure in order to filter the audit logs of splunk itself?


Here is the config:

C:\Program Files\Splunk\etc\apps\SplunkForwarder\default\


defaultGroup = vco_event_group
priority = NO_PRI
syslogSourceType = sourcetype::vco_event_log

server =


TRANSFORMS-vco_event_log = vco_to_syslog


DEST_KEY = MetaData:Sourcetype
REGEX = vco_event_log
FORMAT = vco_event_group

Audit log on Syslog Server



log we needed



event info.

Event InfoEvent Info



Labels (3)

Ultra Champion
Get Updates on the Splunk Community!

Using Machine Learning for Hunting Security Threats

WATCH NOW Seeing the exponential hike in global cyber threat spectrum, organizations are now striving more for ...

New Learning Videos on Topics Most Requested by You! Plus This Month’s New Splunk ...

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

How I Instrumented a Rust Application Without Knowing Rust

As a technical writer, I often have to edit or create code snippets for Splunk's distributions of ...