Getting Data In

send syslog event to third party server. Linux

sichi
New Member

Hello there, I'm newbie to splunk and need your help please to forward syslog logs coming to splunk to another third party linux server. I can clearly see on my SH instance, that there are logs with sourcetype=syslog. but when I use a heavy forwarder to forward these logs I receive nothing. I configured teh receiving of heavy forwarder to listen to 9997. then my sources would send their logs to the HV using 9997. The HF also transmit all he receives to Splunk SH on 9997 and i'm also trying to transmit syslog to third party server. when I configure the outputs with the following configuration for syslog . I receive nothing on my server.

[syslog]
defaultGroup=syslogGroup
[syslog:syslogGroup]

 

and when I just use

[tcpout:custom_group]
server = ip:port

sendCookedData = false

I receive all kind of data and none is tagged with sourcetype. although i can see among them syslog event, but they are not tagged properly.

 

Please help me out. Thanks in advance

Labels (1)
0 Karma

Richfez
SplunkTrust
SplunkTrust

Allow me to try to restate what it is you have said - please correct as appropriate!

You have syslog coming in to Splunk.  You would like to forward these to another syslog system, in addition to ingesting them into Splunk.  So devices send syslog to a Splunk heavy forwarder instance, and you'd like that HF to send those incoming syslogs both to Splunk (as cooked data) and to yet another syslog instance (as syslog).

Hopefully that sounds like what you are doing.

Some questions then -

1) How is the HF receiving syslog?  Directly with the Splunk syslog app, or via some "Regular syslog app" on the system?

Also this seems like a lot of work and re-work.  Why can't you just send syslog from the source devices to two separate entities?  And even if you can't, hopefully the answer to the above question is you are using syslog-ng (which I'm positive can duplicate syslog as it comes in) so you can break this problem into two pieces - one of receiving syslog and forwarding it, and another of Splunk reading the files the syslog server creates.

0 Karma
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Best Practices: Splunk auto adjust pipeline queue

When you enable autoAdjustQueue in Splunk, maxSize should be understood as the queue size Splunk starts with ...

Request for Professional Development: Attending .conf26

Winning Over the Boss: Your Pass to .conf26 conf26 is going to be here before you know it. If don't already ...