Hello,
I am wondering how to send only audit and splunkd logs of splunk instance to external syslog server, I already did many trials editing inputs.conf, props.conf, transforms.conf and outputs.conf with no luck.
When I add the following santza to outputs.conf I got all logs of splunk instance sent to syslog server, however I need only audit.log and splunkd.log
[tcpout:syslog_out]
disabled = false
server=x.x.x.x:514
sendCookedData=false
Thanks in advance
The following configuration worked fine with me,
inputs.conf
[monitor://$SPLUNK_HOME/var/log/splunk/audit.log*]
_SYSLOG_ROUTING = syslog-out1
outputs.conf
[syslog]
defaultGroup = syslog-out1
[syslog:syslog-out1]
disabled = false
server = x.x.x.x:514
type = tcp
Regards,
Ahmed Elakwah
The following configuration worked fine with me,
inputs.conf
[monitor://$SPLUNK_HOME/var/log/splunk/audit.log*]
_SYSLOG_ROUTING = syslog-out1
outputs.conf
[syslog]
defaultGroup = syslog-out1
[syslog:syslog-out1]
disabled = false
server = x.x.x.x:514
type = tcp
Regards,
Ahmed Elakwah
Have you checked out this document? http://docs.splunk.com/Documentation/Splunk/6.0.1/Forwarding/Forwarddatatothird-partysystemsd
In your props.conf you can filter by [source:: path to audit.log ] . Specifically check this section:
Syslog data[edit]
... send data in standard syslog format. The forwarder sends the data through a separate output processor. You can also filter the data with props.conf and transforms.conf. You'll need to specify _SYSLOG_ROUTING as the DEST_KEY.