Hello
I have this schema :
[syslog:received_514;forward_1514]
[SplunkUF:received_1514;forward_2000]
[SplunkUF2:received_2000;forward_3000]
[SplunkUF3:received_3000;forward_4000]
[Syslog:received_4000;forward_to_file]
With tcpdump on SplunkUF, I see the data arrived by syslog.
But, the splunk forward failed.
The configuration files are :
SplunkUF - inputs.conf:
# Default
[default]
index= default
_rcvbuf = 1572864
host = $decideOnStartup
[tcp://1514]
sourcetype = syslog
queueSize=1MB
persistentQueueSize=4GB
_TCP_ROUTING = syslog-src
[monitor://$SPLUNK_HOME/var/log/splunk]
index = _internal
disabled = true
SplunkUF - outputs.conf:
[tcpout]
backoffOnFailure = 5
channelReapInterval = 60000
channelReapLowater = 10
channelTTL = 60
compressed = true
defaultGroup = syslog-src
dnsResolutionInterval = 300
negotiateNewProtocol = true
readTimeout = 900
useACK = true
writeTimeout = 5
indexAndForward = 0
[tcpout:syslog-src]
server = SplunkUF2:2000
maxQueueSize = 10MB
dropEventsOnQueueFull = -1
SplunkUF2 - inputs.conf:
[default]
index= default
_rcvbuf = 1572864
host = $decideOnStartup
[splunktcp://2000]
compressed = true
connection_host = IP_SplunkUF
queueSize=1MB
persistentQueueSize=4GB
_TCP_ROUTING = syslog-src
[monitor://$SPLUNK_HOME/var/log/splunk]
index = _internal
disabled = true
SplunkUF2 - outputs.conf:
[tcpout]
backoffOnFailure = 5
channelReapInterval = 60000
channelReapLowater = 10
channelTTL = 60
compressed = true
defaultGroup = syslog-src
dnsResolutionInterval = 300
negotiateNewProtocol = true
readTimeout = 900
useACK = true
writeTimeout = 5
indexAndForward = 0
[tcpout:syslog-src]
server = SplunkUF3:3000
maxQueueSize = 10MB
dropEventsOnQueueFull = -1
SplunkUF3 - inputs.conf:
[default]
index= default
_rcvbuf = 1572864
host = $decideOnStartup
[splunktcp://3000]
compressed = true
connection_host = IP_SplunkUF2
queueSize=1MB
persistentQueueSize=4GB
_TCP_ROUTING = syslog-src
[monitor://$SPLUNK_HOME/var/log/splunk]
index = _internal
disabled = true
SplunkUF3 - outputs.conf:
[tcpout]
defaultGroup = syslog-src
indexAndForward = 0
[tcpout:syslog-src]
server = IP_Syslog:4000
sendCookedData = False
Someone have an idea ?
Thanks
Hi atixx,
I don't really see the benefits of doing something like this, using three Splunk universal forwarders to forward syslog from one syslog device to another syslog. If you need to chain things up like this, stick with syslog all the way.
Beside this, use the usual troubleshooting to find the error, like:
cheers, MuS