Hi Giuseppe

Thanks for responding back, for clarification the instructions mentioned two ip addresses

• Splunk Enterprise indexer (10.1.12.1:9997)
• third-party machine (10.1.12.2:1234)

For this to work do I need to set up my Splunk Enterprise indexer and third party machine before setting this up?

Hi

definitely you must have syslog receiver (and also your Splunk indexer) working on before you do this. If there isn't any service to receive those events then those are queued to tcpout queue and when it's full then this node don't send events to any receivers before all queues are flushed!

r. Ismo

Hi

Just to confirm is the Splunk indexer the same as the Splunk Enterprise instance that is setup collecting active directory logs? Also is there a syslog receiver that you would recommend for anyone on a Splunk Cloud trial?

Hi @asmyth1995 ,

probably there's a misunderstanding or I didn't understand your architecture:

• you have Splunk Cloud.
• you have a third party syslog receiver in a different server,
• what's the Splunk Enterprise instance?
• what's it's role? is it an Heavy Forwarder?

if you need an instance to extract AD logs and forward them both to Splunk Cloud and third party syslog, you don't need to have also a Universal Forwarder in the same VM but only a Full Splunk Instance configured as an Heavy Forwarder.

If you're speaking of the UFs on the Domain Controllers that send logs to the Heavy Forwarder ok, they are configured to send their logs to the HF.

Then the HF send logs both to the destinations (Splunk Cloud and syslog).

Ciao.

Giuseppe

Yes it like that

• Splunk Indexer <=> Splunk Enterprise instance

If you haven't any syslog server on your hand, then one option is Splunk Connect for Syslog. Basically in trial phase you could use almost any syslog server to with correct configurations to send those events to directly to splunk cloud or 1st collect those to disk and then use UF to send those to SC.

I just wondering why you want to route those via syslog server instead of sending those directly to SC?

Thanks for responding back. How do I find the IP address for both the Splunk Enterprise Instance, I noticed the ip address is present in the URL bar of the browser but it is 127.0.0.1. i just wanted to confirm if that is the correct way to find the ip address?

Also how do I do the same for the syslog server after setting it up?

One more thing, say if I didn't decide to use a heavy forwarder and instead wanted to use a universal forwarder, how do I find the ip address for the universal forwarder since it doesn't have a UI like Splunk Enterprise which I think is meant to act as a Heavy Forwarder.

127.0.0.1 is localhost which cannot use from outside of that host. Basically you must know the external IP address or FQDN (full qualified domain name) for those hosts where you have installed those components. 

Hi @asmyth1995 ,

you spoke that you have Splunk Cloud, this means that you have to use the app downloaded by Splubnk Cloud.

then, in this app or in a different app (better!), you have to add the stanzas for syslog routing in outputs.conf and add the props.conf and transforms.conf that you can find in the above link.

Obviously you Splunk Cloud must be ready to receive logs and also the syslog receiver otherwise you cannot check the configuration.

See in Community there are many answers on this item.

I found many issues in syslog configuration but I described a solution at https://community.splunk.com/t5/Getting-Data-In/send-a-subset-of-logs-via-syslog-to-a-Third-Party-an... .

Ciao.

Giuseppe

Hi Giuseppe

I don't remember using an app when I signed up on the Splunk Cloud Trial. I usually accessed Splunk Cloud on my browser. I did download a universal forwarder which I can see in a folder on my machine and the credentials at the start of the trial.

Also in the documentation it did mention those conf files but they were not present in etc/system/local/ folder. I remembered reading on a post that the conf files have to be written and then SplunkForwarder restarted.

I did something similar in the Splunk Enterprise folder where I wrote the conf files and restarted Splunk Enterprise in server controls but it gave an error on the UI where it said the forwarder stopped working. I think it is because I didn't put in the right IP address for the Splunk Enterprise indexer and I didn't have the syslog receiver setup properly.

Hi @asmyth1995 ,

you have to download the Add-On from your Splunk Cloud instance in your pc (Download folder).

then you have to install this add-on by GUI and restart Splunk.

In this way your HF is connected to ,Splunk Cloud and you can see its logs in SC.

For syslogs, you have to follow the instructions at the above link to add the additional configurations.

Ciao.

Giuseppe