We have to forward some data from a Splunk Heavy Forwarder to a third party syslog server.
This is possible as indicated here:
https://docs.splunk.com/Documentation/Splunk/8.0.6/Forwarding/Forwarddatatothird-partysystemsd
The challenge is to select only some files from a particular host and forward only the logs that contain a particular string.
Here is what we were able to achieve (basically 2 rules out of 3, so some files that contain a particular string), I don’t know if it is possible to add in some way a reference also for the host.
Do you know if it is feasible?
outputs.conf
[syslog:syslog_target]
type = udp
server = 111.222.333.444:514
props.conf
[source::/path/of/myfile/*filename.log]
TRANSFORMS-syslog_forward = syslog_forward_rule
transforms.conf
[syslog_forward_rule]
REGEX = www\.mywebsite\.com
DEST_KEY = _SYSLOG_ROUTING
FORMAT = syslog_target
Thanks a lot,
Edoardo
@thambisetty Thanks for your feedback.
Basically there is no way to use host sourcetype and regex all together, unless you have the host:
I don’t think you can make use of host and source combinations in single props stanza.
if source specified in props matches events coming from those hosts you want to include and event contains host value then you can modify your regex in transforms to identify events you want to forward to syslog.
@thambisetty Thanks for your feedback.
Basically there is no way to use host sourcetype and regex all together, unless you have the host: