Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Unable to forward syslog to third-party syslog server

forrest_NUS
New Member
‎09-18-2017 03:00 AM

I have an all-in-one environment, which indexed VPN logs. I also want to forward the vpn raw logs to the third party syslog servers.
I have configured outputs, transforms, and props as the snapshot, however, It cannot forward any log out.

09-18-2017 17:45:02.632 +0800 INFO Metrics - group=syslog_connections, vpnsyslog:172.18.165.144:514:172.18.165.144:514, sourcePort=8089, destIp=172.18.165.144, destPort=514, _tcp_Bps=0.00, _tcp_KBps=0.00, _tcp_avg_thruput=0.00, _tcp_Kprocessed=0, _tcp_eps=0.00

Anything wrong with my configuration?

Tags (1)
Preview file
15 KB
Preview file
138 KB
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎09-18-2017 06:16 AM

Hi forrest_NUS,
did you disabled local Firewall on these ports?
Bye.
Giuseppe

0 Karma
Reply

forrest_NUS
New Member
‎09-18-2017 05:45 PM

Hi Cusello,

The firewall is enabled.

I added default group in the outputs.conf, and it forwarded all logs to the third-party Syslog server.
However, my requirement is just forward selected source type to third-party.
My previous outputs.conf was like following:
[syslog]
defaultGroup = vpnsyslog

[syslog:vpnsyslog]
server = 172.18.165.144:514

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎09-18-2017 11:55 PM

Hi forrest_NUS,
If firewall must remain enabled you have to configure it to open the port 514.
Only for test, try to disable firewall and check if it's ok, then try to open Port 514.

If the problem will remain, test all connections between Indexer and third party server using telnet 172.18.165.144 514

If it's still OK, verify with with tcpdump if there's traffic between Indexer and third party server.
You could also verify using some tool to send a syslog to third party, in this way you can exclude connections issues and eventually search Splunk configuration problems.

I suggest to verify connections because your Splunk configuration seems to be ok.

Anyway problem is often local or remote firewall!

Bye.
Giuseppe

0 Karma
Reply

forrest_NUS
New Member
‎09-19-2017 12:01 AM

Hi Giuseppe,

Thanks for your kindly reply.
I have verified the udp connection, and it's Okay.

The issue became when I remove the defaultGroup in the outputs.conf, then no sysslog send out,
If I keep the defaultGroup, then all logs would send to the third-party, however, I just want to send selected source type logs to the third party.

Regards,
Forrest

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎09-19-2017 12:20 AM

Only one final test: in props.conf try to modify stanza: when you use sourcetype you can directly insert sourcetype:

[juniper:sslvpn]
TRANSFORMS-syslog = syslog-out

Bye.
Giuseppe

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...