Solved: Re: Can we use a Splunk universal forwarder to for...

suhailpuri83 · ‎07-21-2015

Hello Geeks,

We have a question with regards to the Splunk universal forwarder for you.

The Splunk forwarder that we use sends data to our Splunk indexer. Can we also configure it to send data to another Elastic search server at the same time ?

Our client does not have Splunk indexer, but ELK.

We use Splunk universal forwarder ver 6.2.2.2

esix_splunk · ‎07-22-2015

Technically, this should work as long as elastic understands the format (syslog) coming in. We've done similar with McAffee, Palantir, RSA, Syslog, and software out there.
In regards to using a UF for this specifically, Im pretty sure it violates the EULA and it definitely wont be supported.

View solution in original post

mustafa24 · ‎12-17-2015

Hello
Did you solve this problem. We want to do same thing. But splunk sends data as a splunk log not syslog format. So We can not parse data either elk or splunk.

I don't know how can I handle this problem. I hope anyone could do this.

jeffland · ‎12-17-2015

Have you had a look at sendCookedData = false in outputs.conf?

suhailpuri83 · ‎09-17-2015

So the destination ELK server wants to receive data in syslog format.

By default data is going to thrid party in the splunk format beacuse we are using splunk universal forwarder to send data.

In order to achieve above i read we need to modify props.conf file etc etc.
We want to send IIS logs from our windows server.

Does anyone have an idea as to how to modify the props.conf file ?

esix_splunk · ‎07-22-2015

Technically, this should work as long as elastic understands the format (syslog) coming in. We've done similar with McAffee, Palantir, RSA, Syslog, and software out there.
In regards to using a UF for this specifically, Im pretty sure it violates the EULA and it definitely wont be supported.

suhailpuri83 · ‎09-17-2015

So the destination ELK server wants to receive data in syslog format.

By default data is going to thrid party in the splunk format beacuse we are using splunk universal forwarder to send data.

In order to achieve above i read we need to modify props.conf file etc etc.
We want to send IIS logs from our windows server.

Does anyone have an idea as to how to modify the props.conf file ?

jeffland · ‎07-22-2015

Really? I just had a quick glance at this, and it says nothing like that - in fact, it says

To forward TCP data to a third-party system, edit the forwarder's outputs.conf file to specify the receiving server and port. [...] You can use any kind of forwarder, such as a universal forwarder, to perform this type of forwarding.

I can imagine that this procedure is not supported as it concerns leaving the product environment, but why would it violate the EULA?

esix_splunk · ‎07-22-2015

Sorry, I read this as the customer doesnt have an indexer and just wants to use a UF to forward data into ELK.

In the full case where they index and want to send to a separate ELK / Service Stack, this is fine.

jeffland · ‎07-22-2015

Have you tried adding another tcpout stanza with their server in it? outputs.conf says you clone your data that way.

suhailpuri83 · ‎07-22-2015

We will try and let you know, maybe we end up breaking new grounds.

reillysg · ‎01-06-2016

Did you manage to get this working ? we are using universal forwarders to send our data to the indexer but would also like to send all our data to a third party. Any help will be much appreciated.

jeffland · ‎01-07-2016

Have you tried the answer here?

Can we use a Splunk universal forwarder to forward logs to an ELK server (Kibana)?

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes