Getting Data In

How to configure a universal forwarder to receive syslog messages, and then forward to Splunk Enterprise on another server?


Trying to figure out how to receive syslog messages sent to port 6514 over TLS on a Splunk universal forwarder, and then forward those syslog messages on to Splunk Enterprise on another server.

Splunk Employee
Splunk Employee

Would this part of the documentation help? It has a subsection specifically on syslog input. Note that SplunkWeb is not available on universal forwarders, so you have to configure it using inputs.conf / outputs.conf using your favorite editor.

FWIW, the best practice for processing syslog events is to send them to a syslog/syslog-ng server, break out the various log sources / sourcetypes and write events to local files, which are then picked up by a UF.
This blog provides a good overview of how that works.

State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!