Getting Data In

How to configure a universal forwarder to receive syslog messages, and then forward to Splunk Enterprise on another server?

simpkins1958
Contributor

Trying to figure out how to receive syslog messages sent to port 6514 over TLS on a Splunk universal forwarder, and then forward those syslog messages on to Splunk Enterprise on another server.

s2_splunk
Splunk Employee
Splunk Employee

Would this part of the documentation help? It has a subsection specifically on syslog input. Note that SplunkWeb is not available on universal forwarders, so you have to configure it using inputs.conf / outputs.conf using your favorite editor.

FWIW, the best practice for processing syslog events is to send them to a syslog/syslog-ng server, break out the various log sources / sourcetypes and write events to local files, which are then picked up by a UF.
This blog provides a good overview of how that works.

Get Updates on the Splunk Community!

Dashboards: Hiding charts while search is being executed and other uses for tokens

There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...

Brains, Bytes, and Boston: Learn from the Best at .conf25

When you think of Boston, you might picture colonial charm, world-class universities, or even the crack of a ...