Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Syslog -> 2 different Regex -> different destinations each

RyanH
Loves-to-Learn
‎11-24-2021 07:07 AM

Hello,

I have been trying to get a Splunk config to work for a while, and have come here for help! I'm out of ideas.

 

I have Network Syslog from many different  sources all being sent to a Heavy Forwarder.

My hope is to get the syslog matched against two different regex's and have the matched data sent to two different locations.

My Configs:

props

[host::*]

TRANSFORMS-SYSLOG = send_to_serverA, send_to_serverB

transforms

[send_to_serverA]

regex = "regex goes here"

DEST_KEY = _SYSLOG_ROUTING

FORMAT = serverA

[send_to_serverB]

regex = "regex goes here"

DEST_KEY = _SYSLOG_ROUTING

FORMAT = serverB

outputs

[syslog:serverA_group]

server = x.x.x.1:514,x.x.x.2:514

[syslog:serverB_group]

server = x.x.1.1:514,x.x.1.2:514

 

This is currently not working and it seems to have something to do with the DEST_KEY = _SYSLOG_ROUTING.

I get some very strange results.

Can any one point out where I have gone wrong? If this can be done?

 

Regards,

Ryan

Labels (1)
Labels
Tags (1)
0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎11-26-2021 12:20 AM
Hi
maybe this is not what you are expecting, but why you want to use HF as syslog server? You are getting in pure syslog messages and forward those to another syslog servers (not into splunk). It's much better to use real syslog server (eg. rsyslog or syslog-ng) for this than Splunk HF.
r. Ismo
Reply

RyanH
Loves-to-Learn
‎11-29-2021 03:12 AM

Hello,

I'm using the HF because I want to filter the results that I send to each "Server", this allows me to collect all the Syslog and only index the messages I'm looking for.

So:

All Syslog -> (Regex match ) -> ServerA (My Splunk Server)

All Syslog -> (Regex match ) -> ServerB  (third party syslog server)

 

The HF seems to be able to do it, I just seem to be missing how to match two different regex's and send the results too the different servers. 

 

Any help would be great,

 

Ryan

Tags (1)
0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎11-29-2021 11:00 PM

That is much better to do with syslog. Both rsyslog and syslog-ng can do that. 

Above are some instructions how to do it and there are more on net.

r. Ismo

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎11-29-2021 04:59 AM

If you just want to manipulate syslog events. Use a syslog daemon. Using HF for it is a huge overkill.

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎11-26-2021 12:35 AM

As a nice "side effect", with a proper syslog server (with rsyslog for sure but probably syslog-ng can do that too), apart from redirecting simple syslog messages you can also send events via HEC to splunk.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...