I tried to do this
Send syslog data from a network device (on port: 514) to a Universal Forwarder listening on port: 514 irrespective of (ANY) host's IP -> indexer listening on port 20980 -> to another Universal Forwarder listening 20981 -> to a Syslog-NG server listening for all audit data from splunk and syslog data.
the mode of travel goes like this
__Multiple syslog data_ > UF > Indexer > UF > Syslog-NG_
the data traverses over this many system as they are in different network zones with the final Syslog-NG server there being a Vendors' component. I have ensure that the Last Syslog server is receiving all my splunkd and other splunk's logs from all the components, but i cannot get the Multiple syslog data (on port:514) to send over to the final Syslog-NG server.
What do i have to do to troubleshoot it?
I've created a similar setup which vary slightly from the top to narrow down the problem.
Multiple syslog data (on port:514) -> Syslog Indexer -> UF -> Syslog-NG_
Do note that the last Syslog-NG server is the same as the one as the top. This setup apparently is sending out all the splunkd and other splunk logs out properly, on top of that the syslog data is going over correctly.
Can anyone please show me the way forward? I thank you in advance for your kind assistance.
the 2nd (similar) setup is working when sending to splunk. but the 1st example is not transmitting. Multiple syslog data as in e.g network appliances which transmits only on UDP://514 or UDP only traffic streams.