Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to forward from HF to a RFC5424 syslog target

MattKr
Explorer
‎09-16-2024 07:49 AM

Good day,
I'm trying to setup the HF to forward to an additional syslog target which expects the RFC5424 (Grafana Alloy) so far the HF is reaching the syslog target but then the target complains about missing priority and I'm not sure if this because of the RFC5424 vs RFC3164

I've tried the following outputs.conf option:

[syslog:my_syslog_group]
disabled = false
server = grafana-alloy.svc.cluster.local:51898
type = tcp
#other tested variant priority = <NO_PRI>
priority = <34>
#tested with or without timeformat
timestampformat = %b %e %H:%M:%S

How can i make sure that the HF syslog forward is using the RFC5424 format?

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

dural_yyz
Builder
‎09-16-2024 12:08 PM

The documentation for outputs.conf.spec specifically mentions RFC3164 so I don't believe Splunk has the configuration to support RFC5424 the way you want.

Honestly I would look at a packet capture at the destination from a good source and a relayed via Splunk HF to confirm.  However, I wouldn't get your hopes up that Splunk will relay the way you want.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

dural_yyz
Builder
‎09-16-2024 12:08 PM

The documentation for outputs.conf.spec specifically mentions RFC3164 so I don't believe Splunk has the configuration to support RFC5424 the way you want.

Honestly I would look at a packet capture at the destination from a good source and a relayed via Splunk HF to confirm.  However, I wouldn't get your hopes up that Splunk will relay the way you want.

0 Karma
Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎09-16-2024 11:25 AM

How are you getting the original data? Splunk has many great features but it's not a fully-blown syslog receiver/processor. If you're receiving them using syslog as well it would probably be better to use rsyslog/syslog-ng to receive the event and forward it from there (and send another copy to Splunk over HEC)

Reply
Solved! Jump to solution

MattKr
Explorer
‎09-16-2024 02:48 PM

inputs.conf is used for the incoming data.

It's the chain: inputs, props and transforms to syslog described  here 

It would be great to transform to RFC5424 this way but i doubt it's possible or is it?

0 Karma
Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
a month ago

Of course you're using inputs.conf. Without it you'd have no inputs. Question is what inputs you get your data from. Is it a simple tcp:// or udp:// input and you're receiving data directly on your indexer (which you shouldn't)? Is it an intermediate syslog daemon writing to files which are read by UF? Is it something else?

0 Karma
Reply
Get Updates on the Splunk Community!

Meet Duke Cyberwalker | A hero’s journey with Splunk

We like to say, the lightsaber is to Luke as Splunk is to Duke. Curious yet? Then read Eric Fusilero’s latest ...

The Future of Splunk Search is Here - See What’s New!

We’re excited to introduce two powerful new search features, now generally available for Splunk Cloud Platform ...

Splunk is Nurturing Tomorrow’s Cybersecurity Leaders Today

Meet Carol Wright. She leads the Splunk Academic Alliance program at Splunk. The Splunk Academic Alliance ...