Splunk Dev
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Syslog routing

szrobag
Explorer
‎05-29-2018 06:11 AM

Hello

I have few of devices logging to an index feeding Splunk via Syslog on 514/UDP.
I want to index and syslog-route logs coming in over port 514 from one IP address to a specific remote syslog server.

I have tried this config, dont know what's went wrong... :

props.conf

[host::x.x.x.x]
TRANSFORMS-fw-1 = redirect_1
TRANSFORMS-fw-2 = redirect_2

transforms.conf

[redirect_1]
REGEX = .
DEST_KEY = _TCP_ROUTING
FORMAT = default-autolb-group

[redirect_2]
REGEX = .
DEST_KEY = _SYSLOG_ROUTING
FORMAT = ( syslog server defined in outputs.conf )

I see indexed data, but not the syslog output...

Or... define the host in inputs.conf

[udp://x.x.x.x:514]
_SYSLOG_ROUTING = ( syslog server defined in outputs.conf )

thanks.

Tags (1)
0 Karma
Reply

jkat54
SplunkTrust
SplunkTrust
‎05-29-2018 08:54 AM

Change the FORMAT in transforms.conf to the outputs.conf stanza name. Not the server name:

[redirect_2]
REGEX = .
DEST_KEY = _SYSLOG_ROUTING
FORMAT = fw_test

0 Karma
Reply

szrobag
Explorer
‎05-29-2018 09:03 AM

No need to modify, i already use "FORMAT = fw_test" in config.

0 Karma
Reply

jkat54
SplunkTrust
SplunkTrust
‎05-29-2018 09:08 AM

What if you combine your transforms statement in props.conf:

TRANSFORMS-fw = redirect_1, redirect_2

0 Karma
Reply

szrobag
Explorer
‎05-29-2018 09:56 AM

I tried to add the stanzas in one transform rule first. Unfortunately the result was the same. I got indexed data, but no syslog out.
It is possible to debug this kind of failures with splunk log somehow ?

0 Karma
Reply

kmorris_splunk
Splunk Employee
Splunk Employee
‎05-29-2018 06:45 AM

Can you share how you defined the syslog server in outputs.conf? Scrubbed is fine.

0 Karma
Reply

szrobag
Explorer
‎05-29-2018 06:53 AM

Sure.

[syslog:fw_test]
disabled = false
server = 8.8.8.8:514
type = udp

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

.conf25 Global Broadcast: Don’t Miss a Moment

Hello Splunkers, .conf25 is only a click away.  Not able to make it to .conf25 in person? No worries, you can ...

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...