Getting Data In

Forwarding data from Heavy forwarder to syslog server exclude audit.log

eorMsisseL
Engager

We're trying to do:

Collect Event Log by REST input on Splunk Enterprise 8.1 --> HF (v8.1 on Windows) --> external Syslog destination.

The logs forwarded from splunk are available on the syslog server and contain the logs we need, but they also contain many audit logs from splunk itself.
No matter how much we modify output.conf we cannot change this.
What do we need to configure in order to filter the audit logs of splunk itself?

Thanks.

Here is the config:

C:\Program Files\Splunk\etc\apps\SplunkForwarder\default\

outputs.conf

[syslog]
defaultGroup = vco_event_group
priority = NO_PRI
syslogSourceType = sourcetype::vco_event_log

[syslog:vco_event_group]
server = 172.16.36.251:5140

props.conf

[vco_event_log]
TRANSFORMS-vco_event_log = vco_to_syslog

transforms.conf

[vco_to_syslog]
DEST_KEY = MetaData:Sourcetype
REGEX = vco_event_log
FORMAT = vco_event_group

Audit log on Syslog Server

SyslogSyslog

 

log we needed

Snipaste_2020-11-21_23-15-42.png

 

event info.

Event InfoEvent Info

 

 

Labels (3)

to4kawa
SplunkTrust
SplunkTrust