- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Can't get UF to translate cooked to plain old sysl...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can't get UF to translate cooked to plain old syslog
I'm trying to use splunkforwarder-4.2.2-101277-linux-2.6-x86_64.rpm as an aggregator and translator for a bunch of Splunk servers sending cooked format to forward to one (now) or more (eventually) plain old syslog servers. This should be really easy, but I seem to be missing something important.
Basically, I want:
[ Splunk(s) ] --cooked--> [ UF ] --syslog--> [ syslog(s) ]
If I use [tcpout] in outputs.conf I can get it to sort-of work, except the syslog server receives gibberish when I sniff it. When I try to use [syslog] I get nothing actually forwarded and an error in splunkd.log:
ERROR TcpOutputProc - LightWeightForwarder/UniversalForwarder not configured. Please configure outputs.conf.
I've tried every combination I can think of, and per /opt/splunkforwarder/etc/system/README/outputs.conf.example even various props.conf and transforms.conf even though lots of folks say that the UF won't parse or use those. I've searched the forums and Googled for hours, and still no matter what, I get an error and nothing, or gibberish. The 3 test machines I'm using (regular Splunk sending cooked, UF, and plain old syslog) are all on the same subnet and switch, and can all talk to each other just fine. As noted, it even almost kinda works, except for the "plain old" syslog part. My syslog server is running syslog-ng and it is listening on 514 UDP. But I'm verifying via tcpdump, so I'm not even worried about that part yet. The stuff that gets there is not the same stuff I'm sending from Splunk.
Unless I have [tcpout] in outputs.conf I get the "ERROR TcpOutputProc ..." but I suspect that that's what sending gibberish instead of plain old text.
What silly, basic thing am I missing?
inputs.conf
[default]
host = my_suf
[splunktcp://:9997]
outputs.conf = sends nothing, get "ERROR TcpOutputProc ..." above
[syslog]
defaultGroup = plainoldsyslog
[syslog:plainoldsyslog]
disabled = false
server = 192.168.1.100:514
type = tcp
outputs.conf = sends something, but per tcpdump it's not the plain syslog text I want
[tcpout]
defaultGroup = plainoldsyslog
[tcpout:plainoldsyslog]
disabled = false
server = 192.168.1.100:514
type = tcp
sendCookedData = false
compressed = false
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Just to help people who may stumble across this, as of the current version (5.0.4), the Splunk Universal Forwarder is not capable of forwarding data in Syslog format. A Heavy Forwarder must be used to do this.
4.2.2 Docs: http://docs.splunk.com/Documentation/Splunk/4.2.2/Deploy/Forwarddatatothird-partysystemsd#Syslog_dat... (Covering the version in question)
5.0.4 Docs: http://docs.splunk.com/Documentation/Splunk/5.0.4/Deploy/Forwarddatatothird-partysystemsd#Syslog_dat...
Check the latest docs HERE for any possible changes in this.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The utterly failed to work at all for me, but dumping the UF and using regular Splunk as a forwarder with the same config files almost works... See http://splunk-base.splunk.com/answers/28438/no-time-or-host-in-forwarded-syslog-messages
Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!
They're back! Join the SplunkTrust and MVP at .conf24
Enterprise Security Content Update (ESCU) | New Releases
