Getting Data In

Syslog forwarding/routing with Heavy Forwarder is sending more logs than excepted

davietch
Path Finder

Dear Splunkers,

 

I am trying to forward a specific sourcetype (let's call it "mySourcetype") to a third party software with a Heavy Forwarder.

The Heavy Forwarder receives the data on a udp port with a splunk input:

[udp://xxxxx:514]
connection_host = dns
sourcetype = mySourcetype
_SYSLOG_ROUTING = mySyslogRouting

 

We added the _SYSLOG_ROUTING line to also send it to the third party software as described in outputs.conf:

[syslog:mySyslogRouting]
type = udp
priority = NO_PRI
syslogSourceType = sourcetype::mySourcetype
server = yyyyyy:3000

 

Unfortunately, the destination "yyyyyy:3000" receive all data (not just this sourcetype) from the HF. So that means all the other sourcetype and internal Splunk logs...

 

We tried to use the props.conf and transforms.conf to route it:

props.conf

[mySourcetype]
TRANSFORMS-changehost = routeSourcetype

 

transforms.conf

[routeSourcetype]
DEST_KEY=_SYSLOG_ROUTING
REGEX=(.)
FORMAT=mySyslogRouting

 

The result is the same : the destination receive too much data.

 

Any idea to limit the Syslog forwarding to just one sourcetype?

 

Thanks

 

EDIT: I found an old post that seems to be talking about the same issue but with no answers...

https://community.splunk.com/t5/Getting-Data-In/Route-syslog-from-heavy-forwarder-to-3rd-party-but-o...

Labels (3)
1 Solution

davietch
Path Finder

Hi all,

 

It turns out our HF version (8.2.1) had a bug and upgrading to the latest (8.2.2) fixed the issue.

View solution in original post

davietch
Path Finder

Hi all,

 

It turns out our HF version (8.2.1) had a bug and upgrading to the latest (8.2.2) fixed the issue.

View solution in original post

.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!