Getting Data In

Receiving data via Splunk Forwarder, I want to forward it as syslog

Dimitri_McKay
Splunk Employee
Splunk Employee

The original data is NOT syslog, and it's coming via universal forwarder, but I would like to forward it from my Splunk indexer onward to a 3rd party receiver as UDP Syslog. Can we take data that is from a monitor stanza in a universal forwarder, index it, and then also send it in raw syslog format. Has anyone faced this challenge and come up with a solution?

Outputs.conf:

[syslog:syslog_out]
server = 209.83.194.68:514
type = udp
timestampformat = %b %e %H:%M:%S

Transforms.conf

[trapfields]
DELIMS = "~"
FIELDS = A1,A2,A3,A4,trapagt,trapsrc,oid,A8
[syslog_routing]
REGEX = .
DEST_KEY = _SYSLOG_ROUTING
FORMAT = syslog_out

Props.conf

[traplog]
TZ = UTC
pulldown_type = 1
REPORT-f1 = trapfields
[impact]
TZ = UTC
pulldown_type = 1
MAX_TIMESTAMP_LOOKAHEAD=50
NO_BINARY_CHECK=1
[nc_syslog]
TZ = UTC
pulldown_type = 1
MAX_TIMESTAMP_LOOKAHEAD=50
NO_BINARY_CHECK=1
[syslog_test]
TRANSFORMS-routing = syslog_routing

Splunk version 5.0.4

0 Karma

Dimitri_McKay
Splunk Employee
Splunk Employee

Strangely enough, I believe it was related to syslog running on the customers box which owned the port which is why we weren't seeing anything in the tcpdump. But it's now working. So #win. Thanks all for your help.

0 Karma

jtrucks
Splunk Employee
Splunk Employee

I'd go with MuS' suggestion: start with forwarding EVERYTHING to syslog then slowly build your config out to forward only those things you want. Also, this is possibly useful: http://wiki.splunk.com/Community:Test:How_Splunk_behaves_when_receiving_or_forwarding_udp_data

--
Jesse Trucks
Minister of Magic

Dimitri_McKay
Splunk Employee
Splunk Employee

I sat watching a tcpdump on the forwarder for any activity. There was zero.

0 Karma

jtrucks
Splunk Employee
Splunk Employee

What is actually happening? Obviously it isn't fully functional, but have you looked at tcpdump on the Splunk forwarder to see if the data going out that port looks correct? Have you looked on the syslog end-point system with tcpdump to see if it is getting any data in on that port?

--
Jesse Trucks
Minister of Magic
0 Karma

MuS
SplunkTrust
SplunkTrust

Did you check that there is nothing blocking UDP traffic from IDX to syslog server? Any possible typo in sourcetype name? Have you tried what docs tell you, for example forward everything from one host? This way you can tell if it is working or not.....

Dimitri_McKay
Splunk Employee
Splunk Employee

That's where I started. I'm not sure if there was something I missed.

0 Karma

MuS
SplunkTrust
SplunkTrust
0 Karma
Get Updates on the Splunk Community!

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...

Splunkbase | Splunk Dashboard Examples App for SimpleXML End of Life

The Splunk Dashboard Examples App for SimpleXML will reach end of support on Dec 19, 2024, after which no new ...

Understanding Generative AI Techniques and Their Application in Cybersecurity

Watch On-Demand Artificial intelligence is the talk of the town nowadays, with industries of all kinds ...