I am using a heavy forwarder to forward data to an INDEXER which is successful. I now need to forward all the data to a third-party system. According to the document, I have prepared my outputs.conf to forward all the data, but am confused whether I use my outputs.conf on the forwarder, or if I need to specify it on my INDEXER.
My outputs.conf looks like:
[tcpout:forwarddata] server = XXXXXXXXXX:7997 sendCookedData = false
And my another question is, do I need to use any specific software on the receiver or a Linux machine can receive the data if the port is open??
Sorry to dig out old thread, but what if data is gathered also on the local indexer system, which is not a single forwarder? That means that I need to configure those bits on indexer only. That means it's not technically possible?
So I assume that you need to forward the data to the 3rd party system via the syslog protocol as I am not aware of any other system that understand the Splunk forwarder protocol.
It's pretty simple. On the heavy forwarder you will need some additional settings in props.conf, transforms.conf and outputs.conf.
In props.conf (default will apply to all sources):
In transforms.conf (match every event and set the syslog routing key)
[syslogRouting] REGEX=. DEST_KEY=_SYSLOG_ROUTING FORMAT=syslogGroup
In outputs.conf (use the syslogGroup to point to your syslog server and port)
[syslog:syslogGroup] server = xx.xx.xx.xx:514
After this configuration, we receive a large number of audit logs on our syslog server, but we do not need these own audit logs, we want to forward only the specified logs that we have collected to the syslog server, how do we filter out these own audit logs?
If you send it as raw TCP you will need something to listen on that port and do something with the data steam. You would need some process or script to handle it. If you've got that part covered, you should be ok.
If, on the other hand, you send it as syslog on port 514 or some other agreed upon port, you could use something like syslog-ng or rsyslog to listen for it and then take action on it (e.g., write to disk or forward elsewhere).