Getting Data In

Possible to clone/forward logs to a third-party system?

chje
Explorer

Hi,
Is it possible to clone/forward logevents from specific hosts from a Splunk instance to a third-party system?
The importance here is that all logs still should be indexed and searchable on the splunk indexer but some of the data should also be copied from the indexer and get forwarded to a third-party system. This third-party system is a syslog-ng.
Which approach should I look into more deeply? To forward the data or to clone the data?
Is cloning even possible to a no-splunk instance?
Thanks in advance.

Br,
CJ

Tags (2)
0 Karma
1 Solution

MuS
Legend

kml_uvce
Builder

you can forward data to third party system and this is the better approach, see this link
http://docs.splunk.com/Documentation/Splunk/6.2.0/Forwarding/Forwarddatatothird-partysystemsd

0 Karma

MuS
Legend

Hi chje,

read the docs about Forward data to third-party systems http://docs.splunk.com/Documentation/Splunk/6.2.0/Forwarding/Forwarddatatothird-partysystemsd

cheers, MuS

chje
Explorer

Thanks for the quick replies guys.
I have looked into this doc but I couldn´t see anywhere if the data is "copied" when forwarded or not.
I would like to have the data on two locations so to speak. Not just routed or forwarded away all together from the Splunk indexer.
If you understand what I mean.
But if this is possible with the forwarding described in the document, then I will start looking into implementing this.

/CJ

0 Karma

MuS
Legend

or in the UI

Settings » Forwarding and receiving » Forwarding defaults

Store a local copy of forwarded events?
 Yes   No
0 Karma

MuS
Legend

Okay, follow the docs and add this in your outputs.conf

indexAndForward = [true|false]
* Index all data locally, in addition to forwarding it.
* This is known as an "index-and-forward" configuration.
* This attribute is available only at the top level [tcpout] stanza. It cannot be overridden in a target group.
* Defaults to false.
Get Updates on the Splunk Community!

Technical Workshop Series: Splunk Data Management and SPL2 | Register here!

Hey, Splunk Community! Ready to take your data management skills to the next level? Join us for a 3-part ...

Spotting Financial Fraud in the Haystack: A Guide to Behavioral Analytics with Splunk

In today's digital financial ecosystem, security teams face an unprecedented challenge. The sheer volume of ...

Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability

Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability As businesses scale ...