Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Can you forward indexed information to a syslog server

Scarecrowddb
Explorer
‎03-10-2011 02:41 AM

Hi All,

I was wondering if it's possible for the below:

Server A - Contains the Event logs... i.e a domain controller Server B - Splunk Pulls all the Event Logs from Server A and Filters them, then Forwards them to Server C (where splunk is running in a recieve mode) Server C - Receives the filtered logs from Server B.

Now... for the tricky bit... I would then like to refilter with a different set of criteria on server C and then forward anything that matches to a Syslog Server that our Administrators use....

So far I haven't been able to accomplish this... and I'm not sure whether that's because it can't be done as the logs wheren't received in a syslog format form Server A, or more likely because I'm stuffing up the config on Server C....

I am trying to use the below....

-----props.conf-----

[wmi]
TRANSFORMS-wmi = Syslog

----transforms.conf----

[Syslog]
REGEX = (?msi)^EventCode=(632)
DEST_KEY = _SYSLOG_ROUTING
FORMAT = ORION

----outputs.conf----

[syslog]
defaultGroup = nullGroup
indexAndForward = 1
disabled = false

[syslog:ORION]
server = 1.1.1.1:514

If anyone can point me in the right direction it would be appreciated!

Cheers,

David.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

netwrkr
Communicator
‎03-15-2011 01:36 PM

So basically you have the logs on Server C, where Splunk is also running, and you want Splunk to forward those logs to another server? I'm not aware of Splunk having this capability to forward to another non Splunk server. If you're using linux you could check out syslog-ng or rsyslogd.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

yannK
Splunk Employee
Splunk Employee
‎02-07-2012 11:53 AM

Splunk forwarder LWF and UF) can only forward as splunk format

Splunk indexer can forward events as :
- syslog (udp or tcp)
- tcp raw
- splunk format (to another splunk server)
see http://docs.splunk.com/Documentation/Splunk/4.3/Deploy/Forwarddatatothird-partysystemsd

If you want to setup parsing rules (like filtering) it is only possible on an indexer or an heavy forwarder.
So if in your case, the intermediate server can be an heavy forwarder, and filter the events before forwarding them.
see http://docs.splunk.com/Documentation/Splunk/4.3/Deploy/Routeandfilterdatad

Reply
Solved! Jump to solution
Solution

netwrkr
Communicator
‎03-15-2011 01:36 PM

So basically you have the logs on Server C, where Splunk is also running, and you want Splunk to forward those logs to another server? I'm not aware of Splunk having this capability to forward to another non Splunk server. If you're using linux you could check out syslog-ng or rsyslogd.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...