Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

HF - log routing to Search Head AN to syslog server

zoltansoos
New Member
‎07-23-2020 10:56 PM

Dear All,

 

can you please help me.

Tried to solve the below question, but up to this moment it seems I could not find the precise solution.

 

3 machines in the Splunk system.

Machine 1: Windows server, Search Head and Indexer server

Machine 2: Windows Domain Controller with deployed heavy forwarder on it (only local Windows log collection).

Machine 3: syslog server

 

The goal to send the local logs from heavy forwarder (Machine 2) to:

-syslog server (all the local logs - Windows Security logs as well - and the line breaks should be changed to “;”)

-Search Head Server (only the Windows Security logs without any modification)


Modified the .conf files in the C:\Program Files\Splunk\etc\system\ on heavy forwarder server.

Of course I can see the Windows logs on the heavy forwarder, and some logs are sent to syslog / Search Head server, but not what I want…

 

outputs.conf
...
[tcpout:indexer_group]
server=<searchheadserveripaddress>:9997

[syslog:syslog_group]
server=<syslogserveripaddress>:514
type=tcp
...


transforms.conf
...
[send_to_syslog]
REGEX=.
DEST_KEY=_SYSLOG_ROUTING
FORMAT=syslog_group

[send_to_indexer]
REGEX=.
DEST_KEY=_TCP_ROUTING
FORMAT=indexer_group
...

 

props.conf
...
[source::WinEventLog:Security]
TRANSFORMS-routing=send_to_indexer, send_to_syslog
priority=5

[host::*]
TRANSFORMS-routing=send_to_syslog
SEDCMD=s/[\n\r]/;/g
priority=10
...

 

Thank you.

Labels (2)
0 Karma
Reply

gmorreale_splun
Splunk Employee
Splunk Employee
‎07-24-2020 02:38 AM

My 2 cents here are: don't do it!
Creating 2 or more output groups with one or more 3rd party devices as receivers will only lead to problems.
Every time the connection to the syslog server goes down or is too slow or if the syslog server is not responsive, all forwarding stops, also for all the other outputs ...

If they really want to do it, you should do it with 2 separate HFW, so as not to cause interference. An HFW that sends data to Splunk and another parallel that sends to 3rd party devices!

My "2 millions" "pre-sales" question: WHY would you want a customer to use Splunk set-up to send data to third party tools and being this "POC" scope, sending to third party tools?  🤔 

Thanks

0 Karma
Reply
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...