Getting Data In

Output syslog to external system

skippylou
Communicator

So I setup syslog output forwarding per the Splunk docs, but am not seeing anything being sent out nor receiving it on the endpoint.

Here is what I have applied (and have tried w/o a props or transforms just like the example w/o success). This was done on the indexer itself, only light forwarders and tcp syslog servers send data into the indexer.

outputs.conf:

[syslog:webreports_syslog_group]
server = myhostname:514
type = tcp


transforms.conf:

[send_to_webreports]
DEST_KEY = _SYSLOG_ROUTING
FORMAT = webreports_syslog_group


props.conf:

[source::/data/logs/httpd/somesite/access*]
TRANSFORMS-weblog-matrix = send_to_webreports

In the metrics.log I see these entries:

08-19-2010 10:34:04.782 INFO Metrics - group=syslog_connections, webreports_syslog_group:myhostname:514:myhostname:514, sourcePort=8089, destIp=myhostname, destPort=514, _tcp_Bps=0.00, _tcp_KBps=0.00, _tcp_avg_thruput=0.00, _tcp_Kprocessed=0, _tcp_eps=0.00

So curious what the double hostname is in the group area? Not sure if this matters much as the destIP is probably what is used for the connection. I see the doubling up in that line regardless if i have hostname, fqdn or IP.

Also not sure why I see no data being sent out. External system is accessible on tcp/514 from this splunk server.

Thanks for insight.

scott

Tags (2)
0 Karma
1 Solution

Stephen_Sorkin
Splunk Employee
Splunk Employee

I suspect your problem lies in transforms.conf. You appear to be missing REGEX = in your send_to_webreports stanza. You can confirm this by looking for the message REGEX field must be specified tranform_name= in splunkd.log.

View solution in original post

Stephen_Sorkin
Splunk Employee
Splunk Employee

I suspect your problem lies in transforms.conf. You appear to be missing REGEX = in your send_to_webreports stanza. You can confirm this by looking for the message REGEX field must be specified tranform_name= in splunkd.log.

mcronkrite
Splunk Employee
Splunk Employee

transforms.conf:

[send_to_webreports]
REGEX = .
DEST_KEY = _SYSLOG_ROUTING
FORMAT = webreports_syslog_group

0 Karma

Lowell
Super Champion

If you want to match everything, then I recommend just using REGEX = . There is no need to include the star "*". (This should be just slightly more efficient)

skippylou
Communicator

Thanks! I didn't see any mention of this in the docs, but putting 'REGEX = .*' as part of it worked just perfectly.

Get Updates on the Splunk Community!

Splunk Observability Cloud's AI Assistant in Action Series: Auditing Compliance and ...

This is the third post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

What You Read The Most: Splunk Lantern’s Most Popular Articles!

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...