Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

How to Forward Data from Splunk Enterprise to TCP Syslog Server?

jamaluddin-k
Explorer
‎08-30-2023 04:32 AM

Hi,

I have a simple TCP syslog server in the same network where I have setup my Splunk Enterprise platform 9.10. I am trying to forward the data polled into Splunk Enterprise by Add-On apps to the TCP Syslog Server. But even after configuring it from settings> Forwarding and Receiving, I am getting error like connection Timed out.

Can anyone suggest what is being missed or needs to be looked into here.

Thank you

Labels (4)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎08-30-2023 03:41 PM

Hi @jamaluddin-k,

forwarding data from GUI is a feature to send logs to another Splunk instance not to a syslog server.

If you want to send logs to a syslog server, you have to follow the instructions at https://docs.splunk.com/Documentation/Splunk/9.1.1/Forwarding/Forwarddatatothird-partysystemsd#Syslo...

Ciao.

Giuseppe

View solution in original post

Reply
Solved! Jump to solution

jamaluddin-k
Explorer
‎08-31-2023 02:27 AM

Hi @gcusello ,

I see, That was a big gap on my end. But I also already had tried the Syslog Forwarding section on the URL you shared. I was not able to receive any data at the syslog server.

My output.conf file is as simple as below.

 

[syslog]
defaultGroup=syslogGroup

[syslog:syslogGroup]
server = 192.168.6.158:514

 

I initially felt that the syslog server configuration might have some issue or maybe network, but no I was able to send TCP message to the syslog server from the Splunk Enterprise VM Instance. Only the data from Splunk is not getting forwarded.

Both the Sysylog Server VM and Splunk Enterprise VM are in the same network.

Just curious, is the defaultGroup parameter got to do something here?

 

Thanks for your help.

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎08-31-2023 02:31 AM

Hi @jamaluddin-k,

as you can see in the following question (https://community.splunk.com/t5/Getting-Data-In/send-a-subset-of-logs-via-syslog-to-a-Third-Party-an...) I had the same problem and I solved  adding in inputs.conf _TCP_ROUTING to all the sourcetypes and _SYSLOG_ROUTING to the three ones to send to syslog.

Ciao.

Giuseppe

Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎08-30-2023 03:41 PM

Hi @jamaluddin-k,

forwarding data from GUI is a feature to send logs to another Splunk instance not to a syslog server.

If you want to send logs to a syslog server, you have to follow the instructions at https://docs.splunk.com/Documentation/Splunk/9.1.1/Forwarding/Forwarddatatothird-partysystemsd#Syslo...

Ciao.

Giuseppe

Reply
Solved! Jump to solution

jamaluddin-k
Explorer
‎08-31-2023 04:13 AM

Thanks @gcusello 
I was able to fix the issue. Apart from the fact that 3rd part needs syslog forwarding as you mentioned, the issue was the default protocol. Splunk has it as UDP.

Thanks

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...