Hello Geeks,
We have a question with regards to the Splunk universal forwarder for you.
The Splunk forwarder that we use sends data to our Splunk indexer. Can we also configure it to send data to another Elastic search server at the same time ?
Our client does not have Splunk indexer, but ELK.
We use Splunk universal forwarder ver 6.2.2.2
Technically, this should work as long as elastic understands the format (syslog) coming in. We've done similar with McAffee, Palantir, RSA, Syslog, and software out there.
In regards to using a UF for this specifically, Im pretty sure it violates the EULA and it definitely wont be supported.
Hello
Did you solve this problem. We want to do same thing. But splunk sends data as a splunk log not syslog format. So We can not parse data either elk or splunk.
I don't know how can I handle this problem. I hope anyone could do this.
Have you had a look at sendCookedData = false
in outputs.conf?
So the destination ELK server wants to receive data in syslog format.
By default data is going to thrid party in the splunk format beacuse we are using splunk universal forwarder to send data.
In order to achieve above i read we need to modify props.conf file etc etc.
We want to send IIS logs from our windows server.
Does anyone have an idea as to how to modify the props.conf file ?
Technically, this should work as long as elastic understands the format (syslog) coming in. We've done similar with McAffee, Palantir, RSA, Syslog, and software out there.
In regards to using a UF for this specifically, Im pretty sure it violates the EULA and it definitely wont be supported.
So the destination ELK server wants to receive data in syslog format.
By default data is going to thrid party in the splunk format beacuse we are using splunk universal forwarder to send data.
In order to achieve above i read we need to modify props.conf file etc etc.
We want to send IIS logs from our windows server.
Does anyone have an idea as to how to modify the props.conf file ?
Really? I just had a quick glance at this, and it says nothing like that - in fact, it says
To forward TCP data to a third-party system, edit the forwarder's outputs.conf file to specify the receiving server and port. [...] You can use any kind of forwarder, such as a universal forwarder, to perform this type of forwarding.
I can imagine that this procedure is not supported as it concerns leaving the product environment, but why would it violate the EULA?
Sorry, I read this as the customer doesnt have an indexer and just wants to use a UF to forward data into ELK.
In the full case where they index and want to send to a separate ELK / Service Stack, this is fine.
Have you tried adding another tcpout stanza with their server in it? outputs.conf says you clone your data that way.
We will try and let you know, maybe we end up breaking new grounds.
Did you manage to get this working ? we are using universal forwarders to send our data to the indexer but would also like to send all our data to a third party. Any help will be much appreciated.
Have you tried the answer here?