Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

How to forward splunkd.log to a foreign syslog server

MattKr
Explorer
‎09-10-2024 07:14 AM

Dear community,
it might be an odd question but i need to forward the splunkd.log to a foreign syslog server,
therefore i was following the sample from here:
https://docs.splunk.com/Documentation/SplunkCloud/9.2.2406/Forwarding/Forwarddatatothird-partysystem...

So far i have configured the forwarder to forward testing.log (should be splunkd.log later) to the foreign syslog target

 

 

#inputs.conf 
[monitor:///opt/splunk/var/log/splunk/testing.log]
disabled=false
sourcetype=testing

 

 

 

 

#outputs.conf

[tcpout]
defaultGroup=idx-cluster
indexAndForward=false

[tcpout:idx-cluster]
server=splunk-idx-cluster-indexer-service:9997

[syslog:my_syslog_group]
server = my-syslog-server.foo:514

 

 

 

#transforms.conf

[send_to_syslog]
REGEX = .
DEST_KEY = _SYSLOG_ROUTING
FORMAT = my_syslog_group

 

 

So far so good, testing.log appears on the syslog server but not just that, all other messages are forwarded too.

Question: How can i configure the (heavy) forwarder to only send testing.log to the foreign syslog server and
how can i make sure that testing.log does not getting indexed? In other words - testing.log should only be send to syslog.

Many thanks in advance

 

 

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

PickleRick
SplunkTrust
SplunkTrust
‎09-10-2024 02:41 PM

Unless you call that transform from props.conf, it's completely ineffective. But that's just a side note.

There are two separate issues here. One is to make sure only selected events get forwarded to syslog server. The way to go is probably to define two syslog groups - one with a real syslog server and one - a deafult one - with a dummy syslog server. The default syslog output is just a sink to catch all events not redirected using transforms to a working syslog output.

Another thing is to make sure specific data is not getting forwarded using splunk-tcp connection to downstream indexers. You can either use index filtering for this (but this works globally on tcp outputs) or you can do the same thing as with syslog but in reverse - do a dummy output and redirect there all events you don't want sent to indexers.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

PickleRick
SplunkTrust
SplunkTrust
‎09-10-2024 02:41 PM

Unless you call that transform from props.conf, it's completely ineffective. But that's just a side note.

There are two separate issues here. One is to make sure only selected events get forwarded to syslog server. The way to go is probably to define two syslog groups - one with a real syslog server and one - a deafult one - with a dummy syslog server. The default syslog output is just a sink to catch all events not redirected using transforms to a working syslog output.

Another thing is to make sure specific data is not getting forwarded using splunk-tcp connection to downstream indexers. You can either use index filtering for this (but this works globally on tcp outputs) or you can do the same thing as with syslog but in reverse - do a dummy output and redirect there all events you don't want sent to indexers.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...