Getting Data In

If using the LWF, what do I need to enable to send syslog (udp) to a 3rd party system?

Path Finder

Referenced Doc: http://www.splunk.com/base/Documentation/4.1/Admin/Moreaboutforwarders

I need to be able to send data from a Splunk LWF to two distinct destinations:

1.) files a,b,c TCP to Splunk forwarder 2.) files d,e,f UDP to 3rd party syslog listener

I would have liked to send ALL data TCP from the Splunk LWF to the Splunk forwarder, then route specific data UDP to the 3rd party system, but sounds like there is no way to retain the original host (Splunk Answers: "Is there a way to maintain the source IP of the UDP syslog packet when forwarding to a 3rd party syslog listener?").

Tags (3)
1 Solution

Splunk Employee
Splunk Employee

Enabling the Light forwarder disables the syslog output processor in etc/apps/SplunkLightForwarder/default/default-mode.conf as you've probably noticed, but simply overriding and re-enabling the syslog-output-generic-processor won't help you as for it to work correctly, Splunk must be able to send separate events in separate syslog events/packets, and in order to do that, it must be able to run a parsing queue to break lines. Since the Light Forwarder inherently does not do parsing, it doesn't do this. You can try overriding and re-enabling the linebreaker processor in the [pipeline:parsing] stanza as well as removing the syslog-output-generic-processor from the excluded items in the [pipeline:indexerPipe]. But really, you might just be better off using a heavy forwarder.

View solution in original post

Splunk Employee
Splunk Employee

Enabling the Light forwarder disables the syslog output processor in etc/apps/SplunkLightForwarder/default/default-mode.conf as you've probably noticed, but simply overriding and re-enabling the syslog-output-generic-processor won't help you as for it to work correctly, Splunk must be able to send separate events in separate syslog events/packets, and in order to do that, it must be able to run a parsing queue to break lines. Since the Light Forwarder inherently does not do parsing, it doesn't do this. You can try overriding and re-enabling the linebreaker processor in the [pipeline:parsing] stanza as well as removing the syslog-output-generic-processor from the excluded items in the [pipeline:indexerPipe]. But really, you might just be better off using a heavy forwarder.

View solution in original post

Splunk Employee
Splunk Employee

You'll need to create multiple outputs.conf stanzas that send the data to the receivers/collectors that you want to stream to. Specifically, use the syslog out stanzas and use your preferred parameters.

Now, to route specific events you must perform the routing and filtering based on sourcetype. Admittedly this is quite complex and will require more detail than the above.

0 Karma

Splunk Employee
Splunk Employee

You can route data however you'd like but it depends on whether its a LWF or regular Forwarder:

"Forwarders can filter and route data to specific receivers based on criteria such as source, sourcetype, or patterns in the events themselves. For example, a forwarder can send all data from one group of hosts to one Splunk server and all other data to a second Splunk server. A forwarder can also look inside the events and filter or route accordingly. For example, you might want to inspect WMI event codes to filter or route Windows events. This topic describes a number of typical routing scenarios.

Besides routing to receivers, forwarders can also filter and route data to specific queues or discard the data altogether by routing to the null queue.

Only regular forwarders can route or filter data at the event level. Light forwarders do not have the ability to inspect individual events."

http://www.splunk.com/base/Documentation/4.1/Admin/Routeandfilterdata

0 Karma

Path Finder

Thanks, but this isn't quite the answer I was looking for so let me rephrase...

How can I customize my LWF configuration to perform a couple of the regular forwarder duties?

  • Need to transform data to route events to 2 systems
  • Need to send data in syslog format via UDP to a 3rd party

Do I need to enable certain modules in $SPLUNK_HOME/etc/apps/SplunkLightForwarder/default/default-mode.conf?:

[pipeline:udp]
[pipeline:syslogfifo]
[pipeline:syslogudp]

Would it be better to run reg. forwarder and disable what I don't need? The goal is to have min. impact on system performance.

0 Karma