Using Splunk Universal forwarder to third party lo...

kuhnto · ‎04-29-2021

We are investigating various logging clients to send to our current log server. Splunk UF is one. We are in a long term position of getting splunk enterprise as a new logger, but prior to that, as an interim, were considering Splunk UF. The documentation seems to point to interoperability with third party loggers. Is there and licensing that needs to be purchased to use Splunk UF with a non-Splunk logger server, or is it free to download that that use?

tscroggins · ‎05-02-2021

@kuhnto

You can stream raw chunks over TCP to third-party systems by setting sendCookedData = false in a custom tcpout stanza in outputs.conf. E.g:

[tcpout]
defaultGroup = foo

[tcpout:foo]
server = 192.0.2.1:1234, bar.example.com:4567
sendCookedData = false

See https://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Forwarddatatothird-partysystemsd for more information.

You do lose all parsing functionality when forwarding to third-party systems. You can technically use Splunk Enterprise in a similar way--Splunk Universal Forwarder and Splunk Enterprise share the same codebase--but some functionality is disabled without a license.

I recommend contacting Splunk and/or legal counsel regarding Splunk Universal Forwarder licensing.

Using Splunk Universal forwarder to third party logger?

other

Introducing the Splunk Community Dashboard Challenge!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...