Getting Data In

send a subset of logs via syslog to a Third Party and all logs to Indexer

gcusello
Esteemed Legend

Hi at all,

I have a problem that is described many times in Splunk docs but I didn't find my Use Case:

  • I have to send all my logs from an Heavy Forwarder to an Indexer and to a third party system via syslog,
  • Indexer must receive all the logs,
  • Third Party system must receive a subset of these data (three sourcetypes) using syslogs (udp).

I used the available documentation (https://docs.splunk.com/Documentation/Splunk/8.0.4/Forwarding/Forwarddatatothird-partysystemsd and https://docs.splunk.com/Documentation/Splunk/latest/Admin/Outputsconf ) but the result is that I'm sending all the logs both to Indexer and syslog, in other words I'm not be able to filter syslogs output.

These are my conf files on HF:

 

outputs.conf

 

 

 

 

[tcpout]
defaultGroup = Nothing
indexAndForward = 0

[tcpout:Splunk]
server = 1.1.1.1:9997

[tcpout-server://1.1.1.1:9997]

[syslog]
defaultGroup =  syslog

[syslog:syslog]
type=udp
server=2.2.2.2:514

 

 

 

 

I tried with and/or without defaultGroup on Splunk and syslog; thern I tried to add syslogSourceType = sourcetype::sourcetype1/2/3 to the syslog stanza to filter data.

 

props.conf:

 

 

 

 

[sourcetype1]
TRANSFORMS-routing = Splunk,syslog

[sourcetype2]
TRANSFORMS-routing = Splunk,syslog

[sourcetype3]
TRANSFORMS-routing = Splunk,syslog

 

 

 

 

I tried also adding TRANSFORMS-routing = Splunk for all the other sourcetypes to send to Indexer but not to syslog.

Then I tried to use two TRANSFORMS stanzas.

 

transforms.conf:

 

 

 

 

[Splunk]
REGEX=.
DEST_KEY=_TCP_ROUTING
FORMAT=Splunk

[syslog]
REGEX=.
DEST_KEY=_SYSLOG_ROUTING
FORMAT=syslog

 

 

 

 

I tried also using three stanzas, one for each sourcetypes and also adding a regex for each sourcetype.

 

At the end, I continue to have all the data both to Indexer and syslog!

 

Can Anyone help me to understand where I'm going wrong?

Ciao and thanks.

Giuseppe

Labels (2)
Tags (2)
0 Karma
1 Solution

gcusello
Esteemed Legend

Hi at all,

I solved adding in inputs.conf _TCP_ROUTING to all the sourcetypes and _SYSLOG_ROUTING to the three ones to send to syslog.

I hoped that there was an easier way!

Ciao a tutti.

Giuseppe

View solution in original post

gcusello
Esteemed Legend

Hi at all,

I solved adding in inputs.conf _TCP_ROUTING to all the sourcetypes and _SYSLOG_ROUTING to the three ones to send to syslog.

I hoped that there was an easier way!

Ciao a tutti.

Giuseppe

adobrzeniecki_s
Splunk Employee
Splunk Employee

Can you show the inputs.conf for reference?

0 Karma

gcusello
Esteemed Legend

Hi @adobrzeniecki_s,

my Heavy Forwarder was receiving logs from other systems, so the inputs.conf was very simple:

[tcp://:9997]
disabled = 0

Ciao.

Giuseppe

0 Karma
Get Updates on the Splunk Community!

The Splunk Success Framework: Your Guide to Successful Splunk Implementations

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...