Solved: Re: How to forward data from a syslog collection s...

R_B · ‎08-14-2017

Hey everyone,

I currently have several devices forwarding syslog data to a syslog server. All of the devices data gets written to a directory called /syslog on the syslog server (there is a separate directory for each device inside of the /syslog directory). The syslog server uses the Universal Forwarder to forward the data in the /syslog directory to my indexers. In addition, I would like to forward all of the data being forwarded/written to the /syslog directory on the syslog server to a third party collection server. What would be the best way to forward only the data being forwarded to the /syslog directory?

Thanks in advance for any help!

starcher · ‎08-14-2017

Modify your syslog configuration to also forward syslog events to your other non Splunk system.. That isn't really a Splunk forwarder issue.

View solution in original post

starcher · ‎08-14-2017

Modify your syslog configuration to also forward syslog events to your other non Splunk system.. That isn't really a Splunk forwarder issue.

R_B · ‎08-14-2017

Ah sorry, I meant to ask how could I forward the data to the third party server in addition to the indexer by using the universal forwarder. In other words, how could I configure the universal forwarder to forward the data to the other server? Or really, what would be the best way to do it in this scenario?

starcher · ‎09-18-2017

Yeah don't do that. Make your syslog server send data out as well as write to file. Not the UF. I don't think the UF even can do that. It takes an indexer and you can cause all sorts of pipeline queue blocking trying it.

R_B · ‎09-18-2017

Ok i see, that makes sense. Thank you for your feedback!

How to forward data from a syslog collection server to a third party server?

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?