Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to configure a heavy forwarder to route some of the data to syslogNG+Nullqueue?

DynaJimLin
Engager
‎03-30-2018 04:44 AM

I am trying to configure a heavy forwarder to route all of data to SyslogNG while route some data to null queue.

I need my data flow as below:

For Data Archive: HF -> all of data -> SyslogNG
For Daily Search: HF -> NullQueue -> Indexer

My issue is, when logs go to nullqueue, they do not go to syslogNG at all.
Is there any way to send to syslog while not indexing?

Also, I can not use these in inputs.conf:

SYSLOG_ROUTING = primarySyslogs
_TCP_ROUTING = somethingThatDoesntExistInOutputsConf

The reason is I use checkpoint lea app to get data, this app do not need to config regular inputs.conf.

Here is what I configured in props.conf, transforms.conf:

props.conf
[opsec]
TRANSFORMS-route = RouteToNG, RouteToNullQueue

transforms.conf
[RouteToNG]
REGEX = .
DEST_KEY = _SYSLOG_ROUTING
FORMAT = syslogNG

[RouteToNullQueue]
REGEX = action=accept
DEST_KEY = queue
FORMAT = nullQueue

outputs.conf
[tcpout]
defaultGroup = default-autolb-group

[tcpout-server://indexer:9997]

[tcpout:default-autolb-group]
disabled = false
server = indexer:9997

[syslog:syslogNG]
server = x.x.x.x:514

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎03-30-2018 07:50 AM

Hi DynaJimLin,
I know that this isn't a direct solution to your problem but a workaround: did you explored the choice to send all data to SyslogNG and Indexer and then, on Indexer, filter them?
Bye.
Giuseppe

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎03-30-2018 07:50 AM

Hi DynaJimLin,
I know that this isn't a direct solution to your problem but a workaround: did you explored the choice to send all data to SyslogNG and Indexer and then, on Indexer, filter them?
Bye.
Giuseppe

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎05-03-2023 01:29 AM

Hi @DynaJimLin ,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated by all the contributors 😉

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎03-30-2018 05:49 AM

I'm curious as to why you have your HF in front of syslog-ng. The more common configuration is to write to syslog first (letting it filter as it needs to) and let a forwarder to pick up the events from there.
It is not possible to route events anywhere after nullQueue. nullQueue is a dead end - any events sent there are discarded.

---
If this reply helps you, Karma would be appreciated.
Reply
Get Updates on the Splunk Community!

Infographic provides the TL;DR for the 2024 Splunk Career Impact Report

We’ve been buzzing with excitement about the recent validation of Splunk Education! The 2024 Splunk Career ...

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...