Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Syslog -> 2 different Regex -> different destinations each

RyanH
Loves-to-Learn
‎11-24-2021 07:07 AM

Hello,

I have been trying to get a Splunk config to work for a while, and have come here for help! I'm out of ideas.

 

I have Network Syslog from many different  sources all being sent to a Heavy Forwarder.

My hope is to get the syslog matched against two different regex's and have the matched data sent to two different locations.

My Configs:

props

[host::*]

TRANSFORMS-SYSLOG = send_to_serverA, send_to_serverB

transforms

[send_to_serverA]

regex = "regex goes here"

DEST_KEY = _SYSLOG_ROUTING

FORMAT = serverA

[send_to_serverB]

regex = "regex goes here"

DEST_KEY = _SYSLOG_ROUTING

FORMAT = serverB

outputs

[syslog:serverA_group]

server = x.x.x.1:514,x.x.x.2:514

[syslog:serverB_group]

server = x.x.1.1:514,x.x.1.2:514

 

This is currently not working and it seems to have something to do with the DEST_KEY = _SYSLOG_ROUTING.

I get some very strange results.

Can any one point out where I have gone wrong? If this can be done?

 

Regards,

Ryan

Labels (1)
Labels
Tags (1)
0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎11-26-2021 12:20 AM
Hi
maybe this is not what you are expecting, but why you want to use HF as syslog server? You are getting in pure syslog messages and forward those to another syslog servers (not into splunk). It's much better to use real syslog server (eg. rsyslog or syslog-ng) for this than Splunk HF.
r. Ismo
Reply

RyanH
Loves-to-Learn
‎11-29-2021 03:12 AM

Hello,

I'm using the HF because I want to filter the results that I send to each "Server", this allows me to collect all the Syslog and only index the messages I'm looking for.

So:

All Syslog -> (Regex match ) -> ServerA (My Splunk Server)

All Syslog -> (Regex match ) -> ServerB  (third party syslog server)

 

The HF seems to be able to do it, I just seem to be missing how to match two different regex's and send the results too the different servers. 

 

Any help would be great,

 

Ryan

Tags (1)
0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎11-29-2021 11:00 PM

That is much better to do with syslog. Both rsyslog and syslog-ng can do that. 

Above are some instructions how to do it and there are more on net.

r. Ismo

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎11-29-2021 04:59 AM

If you just want to manipulate syslog events. Use a syslog daemon. Using HF for it is a huge overkill.

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎11-26-2021 12:35 AM

As a nice "side effect", with a proper syslog server (with rsyslog for sure but probably syslog-ng can do that too), apart from redirecting simple syslog messages you can also send events via HEC to splunk.

0 Karma
Reply
Get Updates on the Splunk Community!

See Splunk Platform & Observability Innovations at Cisco Live EMEA

Hi Splunkers, Learn about what’s next for Splunk Platform at Cisco Live EMEA.  Data silos are a big challenge ...

The OpenTelemetry Certified Associate (OTCA) Exam

What’s this OTCA exam? The Linux Foundation offers the OpenTelemetry Certified Associate (OTCA) credential to ...

From Manual to Agentic: Level Up Your SOC at Cisco Live

Welcome to the Era of the Agentic SOC   Are you tired of being a manual alert responder? The security ...