Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Syslog -> 2 different Regex -> different destinations each

RyanH
Loves-to-Learn
‎11-24-2021 07:07 AM

Hello,

I have been trying to get a Splunk config to work for a while, and have come here for help! I'm out of ideas.

 

I have Network Syslog from many different  sources all being sent to a Heavy Forwarder.

My hope is to get the syslog matched against two different regex's and have the matched data sent to two different locations.

My Configs:

props

[host::*]

TRANSFORMS-SYSLOG = send_to_serverA, send_to_serverB

transforms

[send_to_serverA]

regex = "regex goes here"

DEST_KEY = _SYSLOG_ROUTING

FORMAT = serverA

[send_to_serverB]

regex = "regex goes here"

DEST_KEY = _SYSLOG_ROUTING

FORMAT = serverB

outputs

[syslog:serverA_group]

server = x.x.x.1:514,x.x.x.2:514

[syslog:serverB_group]

server = x.x.1.1:514,x.x.1.2:514

 

This is currently not working and it seems to have something to do with the DEST_KEY = _SYSLOG_ROUTING.

I get some very strange results.

Can any one point out where I have gone wrong? If this can be done?

 

Regards,

Ryan

Labels (1)
Labels
Tags (1)
0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎11-26-2021 12:20 AM
Hi
maybe this is not what you are expecting, but why you want to use HF as syslog server? You are getting in pure syslog messages and forward those to another syslog servers (not into splunk). It's much better to use real syslog server (eg. rsyslog or syslog-ng) for this than Splunk HF.
r. Ismo
Reply

RyanH
Loves-to-Learn
‎11-29-2021 03:12 AM

Hello,

I'm using the HF because I want to filter the results that I send to each "Server", this allows me to collect all the Syslog and only index the messages I'm looking for.

So:

All Syslog -> (Regex match ) -> ServerA (My Splunk Server)

All Syslog -> (Regex match ) -> ServerB  (third party syslog server)

 

The HF seems to be able to do it, I just seem to be missing how to match two different regex's and send the results too the different servers. 

 

Any help would be great,

 

Ryan

Tags (1)
0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎11-29-2021 11:00 PM

That is much better to do with syslog. Both rsyslog and syslog-ng can do that. 

Above are some instructions how to do it and there are more on net.

r. Ismo

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎11-29-2021 04:59 AM

If you just want to manipulate syslog events. Use a syslog daemon. Using HF for it is a huge overkill.

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎11-26-2021 12:35 AM

As a nice "side effect", with a proper syslog server (with rsyslog for sure but probably syslog-ng can do that too), apart from redirecting simple syslog messages you can also send events via HEC to splunk.

0 Karma
Reply
Get Updates on the Splunk Community!

Expert Tips from Splunk Professional Services, Ensuring Compliance, and More New ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Observability Release Update: AI Assistant, AppD + Observability Cloud Integrations & ...

This month’s releases across the Splunk Observability portfolio deliver earlier detection and faster ...

Stay Connected: Your Guide to February Tech Talks, Office Hours, and Webinars!

💌Keep the new year’s momentum going with our February lineup of Community Office Hours, Tech Talks, ...