syslog data sent across forwarders and multiple indexers


I tried to do this

Send syslog data from a network device (on port: 514) to a Universal Forwarder listening on port: 514 irrespective of (ANY) host's IP -> indexer listening on port 20980 -> to another Universal Forwarder listening 20981 -> to a Syslog-NG server listening for all audit data from splunk and syslog data.

the mode of travel goes like this

__Multiple syslog data_ > UF > Indexer > UF > Syslog-NG_

the data traverses over this many system as they are in different network zones with the final Syslog-NG server there being a Vendors' component. I have ensure that the Last Syslog server is receiving all my splunkd and other splunk's logs from all the components, but i cannot get the Multiple syslog data (on port:514) to send over to the final Syslog-NG server.

What do i have to do to troubleshoot it?

I've created a similar setup which vary slightly from the top to narrow down the problem.

Multiple syslog data (on port:514) -> Syslog Indexer -> UF -> Syslog-NG_

Do note that the last Syslog-NG server is the same as the one as the top. This setup apparently is sending out all the splunkd and other splunk logs out properly, on top of that the syslog data is going over correctly.

Can anyone please show me the way forward? I thank you in advance for your kind assistance.

the 2nd (similar) setup is working when sending to splunk. but the 1st example is not transmitting. Multiple syslog data as in e.g network appliances which transmits only on UDP://514 or UDP only traffic streams.

Have you run tcpdump or some other utility to verify that the last Universal Forwarder listening 20981 is actually forwarding the syslog data to your syslog endpoint?

It could help if you explained more not just about the setup, but also the problem? What do you mean by multiple syslog data? What's the expected outcome and how does it not work?

Help please, if anyone know?

