Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: Unable to forward syslogs coming in from UDP:5...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Unable to forward syslogs coming in from UDP:514
Here is my setup on my Heavy Forwarder
inputs.conf
[udp://:514]
sourcetype = syslog
connection_host = ip
disabled = 0
[tcp://:514]
sourcetype = syslog
connection_host = ip
disabled = 0
outputs.conf
[tcpout]
defaultGroup = indexers
[tcpout:indexers]
server = < ip-address >:9997, < ip-address >:9997
However, on my indexers, I'm only able to see source tcp:514. My UDP syslogs are not being indexed.
Any idea where went wrong?
EDIT (resolved):
Just to update, configured my props.conf and solve the issue
Old configuration:
[host::10.1.1.1]
TRANSFORMS-change = change
Corrected configuration:
[source::udp:514]
TRANSFORMS-change = change
Hope this might be useful to anyone who is trying to achieve something similar to what i'm trying
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Xrtan,
You did not specified index on each input stanza. Did you enable receiving port 9997 on the Indexer ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi alemarzu, the event are going into default index main. 9997 is enabled on indexer too.
The indexer is indexing events from tcp:514 but not udp:514.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Did you tried to search those events directly on the Heavy Forwarder first ? (udp:514)
What about rules on your firewall, did you check them ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
if i were to use indexandForward it will be able to index, however not able to send out.
Firewall has been turned off. Anyhow, i've figured out what went wrong. Thanks for the help, cheers.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Great xrtan, do you mind sharing the answers, it may help other members.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Build the Future of Agentic AI: Join the Splunk Agentic Ops Hackathon
[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions
Splunk Community Badges!
