Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to forward an index to third party syslog using heavy forwarder

michael_lee
Path Finder
‎03-09-2016 07:35 AM

I have an index test_index collecting http logs and I want to forward to another syslog server. I have outputs.conf, props.conf and transform.conf as such:

  1. outputs.conf

    [syslog]
    defaultGroup=syslogGroup
    type=tcp

    [syslog:syslogGroup]
    server = 192.168.22.101:514

    [tcpout]
    defaultGroup = raw_tcp_out
    forwardedindex.0.whitelist =
    forwardedindex.1.blacklist =
    forwardedindex.2.whitelist =
    indexAndForward = true
    sendCookedData = false
    forwardedindex.0.whitelist = test_index

    [tcpout:raw_tcp_out]
    server = 192.168.22.101:514

  2. props.conf

    [host::192.168.22.101]
    TRANSFORMS-kiwi = send_to_syslog

  3. transform.conf

    [send_to_syslog]
    REGEX = .
    DEST_KEY = _SYSLOG_ROUTING
    FORMAT = syslogGroup

When I check with the destination syslog server 192.168.22.101, it is logging a lot of events which are not from test_index. Is there anything wrong with config files ? I a using 6.3.3 latest Splunk heavy forwarder.
thanks

Tags (3)
Reply

lycollicott
Motivator
‎03-14-2016 07:37 AM

If you have already ingested and indexed the events...why are you syslogging them at all? You already have them in Splunk, the greatest software on the planet.

0 Karma
Reply

ryandg
Communicator
‎03-11-2016 06:40 AM

In your outputs.conf why do you have multiple blank whitelists and blacklist?

[tcpout]
defaultGroup = raw_tcp_out
**forwardedindex.0.whitelist = 
forwardedindex.1.blacklist = 
forwardedindex.2.whitelist =** 
indexAndForward = true
sendCookedData = false
forwardedindex.0.whitelist = test_index
0 Karma
Reply

michael_lee
Path Finder
‎03-12-2016 07:13 AM

I have added something like this. Is this correct? First, I blacklist everything that I don't need to be forwarded. Then lastly the whitelist.

 forwardedindex.1.blacklist = _*
 forwardedindex.2.blacklist = main
 forwardedindex.0.whitelist = my_index_to_forward
0 Karma
Reply

ryandg
Communicator
‎03-14-2016 06:58 AM

try removing the blacklists and just having the whitelist. It's redundant to do a whitelist and a blacklist.

0 Karma
Reply
Get Updates on the Splunk Community!

Building Reliable Asset and Identity Frameworks in Splunk ES

 Accurate asset and identity resolution is the backbone of security operations. Without it, alerts are ...

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

For Splunk Cloud customers, understanding and optimizing Splunk Virtual Compute (SVC) usage and resource ...

Automatic Discovery Part 3: Practical Use Cases

If you’ve enabled Automatic Discovery in your install of the Splunk Distribution of the OpenTelemetry ...