Getting Data In

Splunk audit log in syslog output


I have my splunk instance set up to receive data on a TCP port, sourcetype it, then output it with to a Splunk receiver using the forwarder/receiver configuration. Everything is okay with that, my problem comes in when I try to configure a syslog output, as talked about and

The remote server receives the data as I intended, but it also receives a whole bunch of Splunk audit events, particularly whenever a user uses the web interface.



server = logserver:12345
type = tcp
sendCookedData = false


TRANSFORMS-syslog = send_to_syslog


REGEX = .*
FORMAT = logserver

It is my understanding that the bracket inside of props.conf specifies the sourcetype that I would like output to syslog. I have also tried host::* (and various iterations of server names), and source::tcp:5557 (the port that these particular entries are coming in on) to no avail.

The logs I am seeing on my syslog server include the logs I am looking for, but also have multiple entries such as:

<13>Audit:[timestamp=05-19-2010 14:52:32.090, user=admin, action=admin_all_objects, info=granted ][n/a]

Any ideas?


Path Finder

Have you tried removing:


from your outputs.conf?

As I read it and from my own experience it might change the behaviour from what you intend. Otherwise it looks good. If all else fails you can use REGEX = to negate certain log entries.


definitely not, just raw TCP stream -> splunk -> syslog

0 Karma


Am I reading this correctly in that you are doing Server -> Syslog -> Splunk Forwarder -> Syslog -> Splunk Indexer?

0 Karma


Had the same problem. If you are using a regular forwarder (not a lightweight), you need to configure the indexer to receive the data using splunktcp instead of tcp. You can either user the default splunktcp port 9997, or add a new one. To add a new splunktcp to the indexer, navigate to: Manager >> Forwarding and Receiving >> Receive Data >> add new. Specify the port number. You will need to configure the forwarder to set sourcetype.

From the input.conf documentation

* This is the same as TCP, except the remote server is assumed to be a Splunk server.

Worked for me!

0 Karma

Super Champion

Correction: Events coming from either normal splunk forwarders or lightweight splunk forwarders should both be received using the splunktcp input.

Get Updates on the Splunk Community!

Take the 2021 Splunk Career Survey for $50 in Amazon Cash

Help us learn about how Splunk has impacted your career by taking the 2021 Splunk Career Survey. Last year’s ...

Using Machine Learning for Hunting Security Threats

WATCH NOW Seeing the exponential hike in global cyber threat spectrum, organizations are now striving more for ...

Observability Newsletter Highlights | March 2023

 March 2023 | Check out the latest and greatestSplunk APM's New Tag Filter ExperienceSplunk APM has updated ...