Configuration settings to forward logs from Heavy forwarder to Indexer1 and Indexer2

swapsplunk236 · ‎12-20-2017

Hi, We have a UF which forwards data to HF and HF passes it to indexers. UF forwards OS logs as well as logs from the directory that we are monitoring. We have configured HF to forward data received to indexers as well as to third party system as explained here: http://docs.splunk.com/Documentation/SplunkCloud/6.6.3/Forwarding/Forwarddatatothird-partysystemsd.

But as checked only OS logs are getting forwarded and not the logs from the directory. Can anybody suggest the additional checks we should perform to ensure logs from the directory too are getting forwarded to third party system?

Thanks.

harsmarvania57 · ‎12-20-2017

Can you please share your configuration which you configured on HF (Please mask any sensitive data) ?

View solution in original post

DavidHourani · ‎12-21-2017

Hi swapsplunk236,

If your OS logs are being received that means your chain UF -> HF ->IDX+3rdParty is working properly. It could be that you misconfigured the data input to read from your folders. Can you please post your UF inputs / outputs config ?

Regards,
David

naidusadanala · ‎12-20-2017

Please follow this

-->Make sure you have no transforms configured for that data for routing purpose
Forward all data
This example shows how to send all the data from a forwarder to a third-party system. Since you are sending all the data, you only need to edit outputs.conf:

[tcpout]

[tcpout:fastlane]
server = 10.1.1.35:6996
sendCookedData = false

swapsplunk236 · ‎12-20-2017

Hi, Thank you for the suggestion. I will try this too.

harsmarvania57 · ‎12-20-2017

Can you please share your configuration which you configured on HF (Please mask any sensitive data) ?

swapsplunk236 · ‎12-20-2017

Hi, Please see below for current output configuration in place on HF.

[tcpout]
defaultGroup = default-INDEXERS
autoLB = true
autoACK = true
indexAndForward = false
forwardedindex.filter.disable = true

Configuration settings to forward logs from Heavy forwarder to Indexer1 and Indexer2

[tcpout:default-INDEXERS]
autoLBFrequency = 40
server = indexer1:9997,indexer2:9997

Configuration settings to forward logs from Heavy forwarder to Third party.

[syslog]
type = udp
sendCookedData = false
DefaultGroup = SIEM-TP

[syslog:SIEM-TP]
server=X.X.X.X:port
disabled=false

harsmarvania57 · ‎12-20-2017

In syslog stanza it should be defaultGroup not DefaultGroup, if this is correctly configured then please share your props.conf and transforms.conf

swapsplunk236 · ‎12-20-2017

Thanks. Here is my prop.conf

[host::*]
TRANSFORMS = SIEM-TP-T

and transform.conf

[SIEM-TP-T]
REGEX= .
DEST_KEY =_SYSLOG_ROUTING
FORMAT = SIEM-TP

harsmarvania57 · ‎12-20-2017

Please change your props.conf as below and restart splunk on HF.

[host::*]
TRANSFORMS-all = SIEM-TP-T

swapsplunk236 · ‎12-28-2017

This worked for me! Thank you very much.
[host::*]
TRANSFORMS-all = SIEM-TP-T

harsmarvania57 · ‎12-28-2017

I have converted my comment to answer, please accept and upvote it.

How can I forward data received from file path monitoring to third party system?

Configuration settings to forward logs from Heavy forwarder to Indexer1 and Indexer2

Configuration settings to forward logs from Heavy forwarder to Third party.

Important Update to Data Management Pipeline Builders: RE2 to PCRE2 Migration

Buttercup Games: Further Dashboarding Techniques (Part 4)

What You Read The Most: Splunk Lantern’s Most Popular Articles!