Hello
I have few of devices logging to an index feeding Splunk via Syslog on 514/UDP.
I want to index and syslog-route logs coming in over port 514 from one IP address to a specific remote syslog server.
I have tried this config, dont know what's went wrong... :
props.conf
[host::x.x.x.x]
TRANSFORMS-fw-1 = redirect_1
TRANSFORMS-fw-2 = redirect_2
transforms.conf
[redirect_1]
REGEX = .
DEST_KEY = _TCP_ROUTING
FORMAT = default-autolb-group
[redirect_2]
REGEX = .
DEST_KEY = _SYSLOG_ROUTING
FORMAT = ( syslog server defined in outputs.conf )
I see indexed data, but not the syslog output...
Or... define the host in inputs.conf
[udp://x.x.x.x:514]
_SYSLOG_ROUTING = ( syslog server defined in outputs.conf )
thanks.
Change the FORMAT in transforms.conf to the outputs.conf stanza name. Not the server name:
[redirect_2]
REGEX = .
DEST_KEY = _SYSLOG_ROUTING
FORMAT = fw_test
No need to modify, i already use "FORMAT = fw_test" in config.
What if you combine your transforms statement in props.conf:
TRANSFORMS-fw = redirect_1, redirect_2
I tried to add the stanzas in one transform rule first. Unfortunately the result was the same. I got indexed data, but no syslog out.
It is possible to debug this kind of failures with splunk log somehow ?
Can you share how you defined the syslog server in outputs.conf? Scrubbed is fine.
Sure.
[syslog:fw_test]
disabled = false
server = 8.8.8.8:514
type = udp