Getting Data In

How to configure a universal forwarder to receive syslog messages, and then forward to Splunk Enterprise on another server?


Trying to figure out how to receive syslog messages sent to port 6514 over TLS on a Splunk universal forwarder, and then forward those syslog messages on to Splunk Enterprise on another server.

Splunk Employee
Splunk Employee

Would this part of the documentation help? It has a subsection specifically on syslog input. Note that SplunkWeb is not available on universal forwarders, so you have to configure it using inputs.conf / outputs.conf using your favorite editor.

FWIW, the best practice for processing syslog events is to send them to a syslog/syslog-ng server, break out the various log sources / sourcetypes and write events to local files, which are then picked up by a UF.
This blog provides a good overview of how that works.

Get Updates on the Splunk Community!

Using Machine Learning for Hunting Security Threats

WATCH NOW Seeing the exponential hike in global cyber threat spectrum, organizations are now striving more for ...

New Learning Videos on Topics Most Requested by You! Plus This Month’s New Splunk ...

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

How I Instrumented a Rust Application Without Knowing Rust

As a technical writer, I often have to edit or create code snippets for Splunk's distributions of ...