Solved: 3rd-party syslog server recieved the strange messa...

sunrise · ‎03-06-2014

I configured universal forwarder to transfer raw data to Splunk indexer and 3rd-party syslog server by following configurations.

#outputs.conf
[tcpout]
defaultGroup = default-autolb-group, sub-group

[tcpout:default-autolb-group]
server = splunk_server:9997

[tcpout:sub-group]
server = syslog_server:514
sendCookedData = false

And I found 3rd-party syslog server receiving following messages from UF continuously.

Mar  6 14:20:55 ForwarderInfo build=196940 version=6.0.2 os=Linux arch=x86_64 hostname=splk guid=XX-XX-46F4-BF90-XXXXXXXX fwdType=uf ssl=false lastIndexer=172.XX.XX.XXX:9997
Mar  6 14:21:25 ForwarderInfo build=196940 version=6.0.2 os=Linux arch=x86_64 hostname=splk guid=XX-XX-46F4-BF90-XXXXXXXX fwdType=uf ssl=false lastIndexer=172.XX.XX.XXX:9997

I think these messages mean heatbeat from UF to syslog server.
However, README of outputs.conf, outputs.conf.spec says

heartbeatFrequency = <integer>
* How often (in seconds) to send a heartbeat packet to the receiving server.
* Heartbeats are only sent if sendCookedData=true.
* Defaults to 30 seconds.

Now I have a contradiction because I set "sendCookedData=false".
What do that message mean ?
And are there any way to stop sending that messages ?

sunrise · ‎03-23-2014

In the case of using UF, we can transfer raw data to 3rd party syslog server.
But that includes not only event data but also splunkd process logs (internal logs).

Furthermore, when UF has multiple tcpouts, heart beat from UF to recievers is always on.
This may be because of TCP connetcions (sending data precisely).

But when UF has just only single tcpout, heat beat is off.
So the reciever does not catch any heart beats.

View solution in original post

stephend · ‎03-31-2017

Adding this to the the output seem to stop the heartbeat data for me

heartbeatFrequency=0

eg.
[tcpout:something]
heartbeatFrequency=0

sunrise · ‎03-23-2014

In the case of using UF, we can transfer raw data to 3rd party syslog server.
But that includes not only event data but also splunkd process logs (internal logs).

Furthermore, when UF has multiple tcpouts, heart beat from UF to recievers is always on.
This may be because of TCP connetcions (sending data precisely).

But when UF has just only single tcpout, heat beat is off.
So the reciever does not catch any heart beats.

Rob · ‎03-13-2014

Hi Sunrise,

You might want to try setting the syslog forwarding stanza as described here:

http://docs.splunk.com/Documentation/Splunk/6.0.2/Forwarding/Forwarddatatothird-partysystemsd#Forwar...

in other words, try making the outputs.conf look like this:

[tcpout]
defaultGroup = default-autolb-group, sub-group

[tcpout:default-autolb-group]
server = splunk_server:9997

[syslog:sub-group]
server = syslog_server:514
sendCookedData = false

sunrise · ‎03-20-2014

I found that heat beats are "true" when UF transfer data to multiple tcpout. But when single tcpout, heat beats are "false".

sunrise · ‎03-20-2014

Hi Rob, thank you for your answer.
But I could not use "syslog output" in Universal Forwarer.
README also says that
"The syslog output processor is not available for universal or light forwarders."

sunrise · ‎03-09-2014

I actually tried "_SYSLOG_ROUTING" in heavy forwarder to transfer the data to 3rd-party syslog server. In which, the above messages are not existed. So is it bugs of splunk ?

3rd-party syslog server recieved the strange messages from UF..

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms