Getting Data In

How to parse and send logs to a third party syslog server, but forward full raw logs to the indexer?

ckillg
Path Finder

I have some RADIUS logs that I need to parse and send to a third party syslog server; however, I want to send the intact raw logs to the indexer. Is there a way to do this?

Thanks,
Neill

0 Karma

hortonew
Builder

There are a number of different options depending at which stage you want to send to the 3rd party. Are the logs already configured to send to a Splunk forwarder of some kind? Is it collected via syslog-ng + written to a file, or just ingested via a tcp/udp input?

  1. If you want to send data that already exists in splunk, check out this app to see if it'll help for search type output: https://splunkbase.splunk.com/app/1847/
  2. If not that, one option is having the RADIUS server point at a virtual IP, and have the 3rd party load balancer mirror the traffic.
  3. If you're already collecting this as syslog via syslog-ng or something similar: In your outputs.conf, you could configure data cloning. So ingest the data, and send it to multiple destinations. If this is on a heavy forwarder, you might have to configure indexAndForward=false globally, which might affect your other data. If you're just using a universal forwarder, you should be fine as it can't index the data. See the following, and look for the cloning section: http://docs.splunk.com/Documentation/Splunk/6.3.1/Forwarding/Configureforwarderswithoutputs.confd
0 Karma
Get Updates on the Splunk Community!

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...

Splunk App Developers | .conf25 Recap & What’s Next

If you stopped by the Builder Bar at .conf25 this year, thank you! The retro tech beer garden vibes were ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...