As your receiver is fluentd, I assume that you have syslog source listener on it? You probably have something similar than <source>
@type syslog
port 8080
bind 0.0.0.0
tag cf.app
message_length_limit 99990
frame_type octet_count
<transport tcp>
</transport>
<parse>
message_format rfc5424
</parse>
</source> In splunk side you must format sending events to be a valid syslog message (RFC5424). Otherwise fluentd didn't accept those and quite soon splunk's queues are full and so on... Unfortunately I haven't currently any syslog server to test this. But I suppose that it's goes something like this https://docs.splunk.com/Documentation/Splunk/9.1.1/Admin/Outputsconf#Syslog_output---- [syslog]
defaultGroup = syslog:syslog_out
[syslog:syslog_out]
server = <Your fluentd server>:<receiving port>
type = tcp
timestampformat = %b %e %H:%M:%S
maxEventSize = <XXXX if greater than 1024> Probably you are also needing a props.conf & transforms.conf to route events also to this syslog output instead of that pure tcpout (or maybe you don't need tcpout-stanza?)? I hope that those instructions are enough clear on docs. There is also some old posts, but unfortunately those seems to be for HF configuration not for indexer. Please inform us what is actually configuration which is working after you have get it.
... View more
