Getting Data In

Syslog -> 2 different Regex -> different destinations each

RyanH
Loves-to-Learn

Hello,

I have been trying to get a Splunk config to work for a while, and have come here for help! I'm out of ideas.

 

I have Network Syslog from many different  sources all being sent to a Heavy Forwarder.

My hope is to get the syslog matched against two different regex's and have the matched data sent to two different locations.

My Configs:

props

[host::*]

TRANSFORMS-SYSLOG = send_to_serverA, send_to_serverB

transforms

[send_to_serverA]

regex = "regex goes here"

DEST_KEY = _SYSLOG_ROUTING

FORMAT = serverA

[send_to_serverB]

regex = "regex goes here"

DEST_KEY = _SYSLOG_ROUTING

FORMAT = serverB

outputs

[syslog:serverA_group]

server = x.x.x.1:514,x.x.x.2:514

[syslog:serverB_group]

server = x.x.1.1:514,x.x.1.2:514

 

This is currently not working and it seems to have something to do with the DEST_KEY = _SYSLOG_ROUTING.

I get some very strange results.

Can any one point out where I have gone wrong? If this can be done?

 

Regards,

Ryan

Labels (1)
Tags (1)
0 Karma

isoutamo
SplunkTrust
SplunkTrust
Hi
maybe this is not what you are expecting, but why you want to use HF as syslog server? You are getting in pure syslog messages and forward those to another syslog servers (not into splunk). It's much better to use real syslog server (eg. rsyslog or syslog-ng) for this than Splunk HF.
r. Ismo

RyanH
Loves-to-Learn

Hello,

I'm using the HF because I want to filter the results that I send to each "Server", this allows me to collect all the Syslog and only index the messages I'm looking for.

So:

All Syslog -> (Regex match ) -> ServerA (My Splunk Server)

All Syslog -> (Regex match ) -> ServerB  (third party syslog server)

 

The HF seems to be able to do it, I just seem to be missing how to match two different regex's and send the results too the different servers. 

 

Any help would be great,

 

Ryan

Tags (1)
0 Karma

isoutamo
SplunkTrust
SplunkTrust

That is much better to do with syslog. Both rsyslog and syslog-ng can do that. 

Above are some instructions how to do it and there are more on net.

r. Ismo

0 Karma

PickleRick
Ultra Champion

If you just want to manipulate syslog events. Use a syslog daemon. Using HF for it is a huge overkill.

0 Karma

PickleRick
Ultra Champion

As a nice "side effect", with a proper syslog server (with rsyslog for sure but probably syslog-ng can do that too), apart from redirecting simple syslog messages you can also send events via HEC to splunk.

0 Karma
*NEW* Splunk Love Promo!
Snag a $25 Visa Gift Card for Giving Your Review!

It's another Splunk Love Special! For a limited time, you can review one of our select Splunk products through Gartner Peer Insights and receive a $25 Visa gift card!

Review:





Or Learn More in Our Blog >>