I have splunk v5.0 running on RHEL and I want to forward all syslog messages %SYS-CONFIG-5 events from splunk to another system. I've been looking through the forum and have seen light/heavy forwaders etc and also seen about editing outputs.conf file. I'm not sure how to specifically go about doing this.
If someone can help, I'd appreciate it.
Hi Guys - thanks for your comments up to now, I've managed to get back to this.
So I've configured as per below but it's still not working, and I've no idea where to start looking for the reason why? I've also enabled the heavyforwarder. I'd appreciate some guidance, even if you just tell me where to look for some clues?
disabled = false
TRANSFORMS-fwdsyslog = send_to_ncm
REGEX = SYS-5-CONFIG
DEST_KEY = _SYSLOG_ROUTING
FORMAT = MY_GROUP
THanks, I've actually tried it both ways, neither would work but I'm trying to match SYS-5-CONFIG just so I can initiate a config pull based on in. I don't need everything.
In your _raw data SYS-5-CONFIG is in every event? Why not just use REGEX = ., this regex will grab every syslog event. Everything else looks fine.
The full install of Splunk contains the Light Forwarder and Heavy Forwarder. Run ./splunk help if you see Splunkd and splunk web listed in status you have a full install, else its a UF. To check if HF or LF is enabled type ./splunk display app. If you see SplunkForwarder Enabled you have a HF or SplunkLightForwarder Enabled you have a LF.
There is a possiblity that you don't have a forwarder AT ALL, but rather a standalone splunk indexer.
See this for info on where you can configure stuff.
PS. A Lightweight Forwarder is an older form of forwarder, now deprecated in favour of Universal Forwarder
You should know what you installed 🙂
There are two options, either you have a Universal Forwarder (no gui, no local indexing of events, located in
a Heavy Forwarder, which is a regular Splunk instance which has been configured to forward incoming events (and possibly index them locally as well). GUI may optionally be turned off.
Thanks guys, but how do I know if I have a heavy forwarder or not?
If you want to forward a subset of data to Splunk and a thirdpart you will have to use a concept called data routing and filtering. To acomplishing this you need a Heavy forwarder Installed instead of a Universal or Light Forwarder by editing outputs.conf, props.conf, and transforms.conf. By doing this you are sending raw syslog data to the another system.
If you have an Network like appliance you can have two syslog recepients list.
Hope this helps or gets you started. Don't forget to accept and/or vote up answers.
You need the Heavy forwarder to be able to do this. The universal forwarder does not inspect events so you would not be able to forward based on a condition in the event.
The basic steps are:
1. Configure outputs.conf with the remote system. Don't set a default group, so by default you don't forward
2. Configure props.conf to run a transform for syslog source
3. Configure transforms.conf to set TCP routing when your condition is met
See the doco