Getting Data In

how to send audit and splunkd logs of splunk instance to external syslog server

aakwah
Builder

Hello,

I am wondering how to send only audit and splunkd logs of splunk instance to external syslog server, I already did many trials editing inputs.conf, props.conf, transforms.conf and outputs.conf with no luck.

When I add the following santza to outputs.conf I got all logs of splunk instance sent to syslog server, however I need only audit.log and splunkd.log

[tcpout:syslog_out]
disabled = false
server=x.x.x.x:514
sendCookedData=false

Thanks in advance

0 Karma
1 Solution

aakwah
Builder

The following configuration worked fine with me,

inputs.conf

[monitor://$SPLUNK_HOME/var/log/splunk/audit.log*]
_SYSLOG_ROUTING = syslog-out1

outputs.conf

[syslog]
defaultGroup = syslog-out1
[syslog:syslog-out1]
disabled = false
server = x.x.x.x:514
type = tcp

Regards,
Ahmed Elakwah

View solution in original post

0 Karma

aakwah
Builder

The following configuration worked fine with me,

inputs.conf

[monitor://$SPLUNK_HOME/var/log/splunk/audit.log*]
_SYSLOG_ROUTING = syslog-out1

outputs.conf

[syslog]
defaultGroup = syslog-out1
[syslog:syslog-out1]
disabled = false
server = x.x.x.x:514
type = tcp

Regards,
Ahmed Elakwah

0 Karma

rroberts
Splunk Employee
Splunk Employee

Have you checked out this document? http://docs.splunk.com/Documentation/Splunk/6.0.1/Forwarding/Forwarddatatothird-partysystemsd
In your props.conf you can filter by [source:: path to audit.log ] . Specifically check this section:

Syslog data[edit]
... send data in standard syslog format. The forwarder sends the data through a separate output processor. You can also filter the data with props.conf and transforms.conf. You'll need to specify _SYSLOG_ROUTING as the DEST_KEY.