Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to forward splunkd.log to a foreign syslog server

MattKr
Explorer
‎09-10-2024 07:14 AM

Dear community,
it might be an odd question but i need to forward the splunkd.log to a foreign syslog server,
therefore i was following the sample from here:
https://docs.splunk.com/Documentation/SplunkCloud/9.2.2406/Forwarding/Forwarddatatothird-partysystem...

So far i have configured the forwarder to forward testing.log (should be splunkd.log later) to the foreign syslog target

 

 

#inputs.conf 
[monitor:///opt/splunk/var/log/splunk/testing.log]
disabled=false
sourcetype=testing

 

 

 

 

#outputs.conf

[tcpout]
defaultGroup=idx-cluster
indexAndForward=false

[tcpout:idx-cluster]
server=splunk-idx-cluster-indexer-service:9997

[syslog:my_syslog_group]
server = my-syslog-server.foo:514

 

 

 

#transforms.conf

[send_to_syslog]
REGEX = .
DEST_KEY = _SYSLOG_ROUTING
FORMAT = my_syslog_group

 

 

So far so good, testing.log appears on the syslog server but not just that, all other messages are forwarded too.

Question: How can i configure the (heavy) forwarder to only send testing.log to the foreign syslog server and
how can i make sure that testing.log does not getting indexed? In other words - testing.log should only be send to syslog.

Many thanks in advance

 

 

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

PickleRick
SplunkTrust
SplunkTrust
‎09-10-2024 02:41 PM

Unless you call that transform from props.conf, it's completely ineffective. But that's just a side note.

There are two separate issues here. One is to make sure only selected events get forwarded to syslog server. The way to go is probably to define two syslog groups - one with a real syslog server and one - a deafult one - with a dummy syslog server. The default syslog output is just a sink to catch all events not redirected using transforms to a working syslog output.

Another thing is to make sure specific data is not getting forwarded using splunk-tcp connection to downstream indexers. You can either use index filtering for this (but this works globally on tcp outputs) or you can do the same thing as with syslog but in reverse - do a dummy output and redirect there all events you don't want sent to indexers.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

PickleRick
SplunkTrust
SplunkTrust
‎09-10-2024 02:41 PM

Unless you call that transform from props.conf, it's completely ineffective. But that's just a side note.

There are two separate issues here. One is to make sure only selected events get forwarded to syslog server. The way to go is probably to define two syslog groups - one with a real syslog server and one - a deafult one - with a dummy syslog server. The default syslog output is just a sink to catch all events not redirected using transforms to a working syslog output.

Another thing is to make sure specific data is not getting forwarded using splunk-tcp connection to downstream indexers. You can either use index filtering for this (but this works globally on tcp outputs) or you can do the same thing as with syslog but in reverse - do a dummy output and redirect there all events you don't want sent to indexers.

0 Karma
Reply
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...