How do I configure a heavy forwarder to send data ...

kengilmour · ‎01-14-2016

Hi,

I need to change a bit of my Splunk architecture and split the data output as follows:

Forward from Heavy Forwarder to Splunk Indexer
Forward from the same Heavy Forwarder to a Syslog server.

The first one is easy to do, but the problem is with the second one. My server receives events which are on multiple lines (e.g. Windows Event Logs) and I need to forward them to a syslog server as single line events as a cheaper backup.

How do I get the logs to forward "blindly" to one Splunk server while parsing them into one line and forwarding them to another non-splunk server?

Thanks!

Ken

CletisSWRX · ‎10-11-2019

There is a way to do this. There is a way that the original message can be copied, transform applied, and sent out to the syslog server. This way the original log in WEF format is indexed in its original state and the syslog server receives tab delim single line format. I've seen it in use, I just don't have the code.

kengilmour · ‎10-11-2019

Thanks @CletisSWRX , but this was almost 4 years ago - I no longer use Splunk - I use CyberEasy now.

javiergn · ‎01-14-2016

I think your approach is only going to work with Syslog events and the extra effort of having to sylog-ize your remaining ones is probably going to be huge.

Some thoughts:

Use a product such as Snare in order to get those event logs via Syslog
Backup your raw data straight from your indexer

How do I configure a heavy forwarder to send data to an indexer, but also send data as a single line to a syslog server?

Index This | I’m short for "configuration file.” What am I?

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Your Guide to SPL2 at .conf24!