Getting Data In

How to parse and send logs to a third party syslog server, but forward full raw logs to the indexer?

ckillg
Path Finder

I have some RADIUS logs that I need to parse and send to a third party syslog server; however, I want to send the intact raw logs to the indexer. Is there a way to do this?

Thanks,
Neill

0 Karma

hortonew
Builder

There are a number of different options depending at which stage you want to send to the 3rd party. Are the logs already configured to send to a Splunk forwarder of some kind? Is it collected via syslog-ng + written to a file, or just ingested via a tcp/udp input?

  1. If you want to send data that already exists in splunk, check out this app to see if it'll help for search type output: https://splunkbase.splunk.com/app/1847/
  2. If not that, one option is having the RADIUS server point at a virtual IP, and have the 3rd party load balancer mirror the traffic.
  3. If you're already collecting this as syslog via syslog-ng or something similar: In your outputs.conf, you could configure data cloning. So ingest the data, and send it to multiple destinations. If this is on a heavy forwarder, you might have to configure indexAndForward=false globally, which might affect your other data. If you're just using a universal forwarder, you should be fine as it can't index the data. See the following, and look for the cloning section: http://docs.splunk.com/Documentation/Splunk/6.3.1/Forwarding/Configureforwarderswithoutputs.confd
0 Karma
Get Updates on the Splunk Community!

Register to Attend BSides SPL 2022 - It's all Happening October 18!

Join like-minded individuals for technical sessions on everything Splunk!  This is a community-led and run ...

What's New in Splunk Cloud Platform 9.0.2208?!

Howdy!  We are happy to share the newest updates in Splunk Cloud Platform 9.0.2208! Analysts can benefit ...

Admin Console: A Single, Unified Interface for All Your Cloud Admin Needs

WATCH NOWJoin us to learn how the admin console can save you time and give you more control over the Splunk® ...