I have my splunk instance set up to receive data on a TCP port, sourcetype it, then output it with to a Splunk receiver using the forwarder/receiver configuration. Everything is okay with that, my problem comes in when I try to configure a syslog output, as talked about http://www.splunk.com/base/Documentation/4.1.2/Admin/Forwarddatatothird-partysystems and http://www.splunk.com/base/Documentation/4.0/Admin/ForwardtosyslogorHTTP
The remote server receives the data as I intended, but it also receives a whole bunch of Splunk audit events, particularly whenever a user uses the web interface.
outputs.conf:
[syslog]
defaultGroup=logserver
[syslog:logserver]
server = logserver:12345
type = tcp
sendCookedData = false
props.conf:
[to-be-syslogged]
TRANSFORMS-syslog = send_to_syslog
transforms.conf:
[send_to_syslog]
REGEX = .*
DEST_KEY = _SYSLOG_ROUTING
FORMAT = logserver
It is my understanding that the bracket inside of props.conf specifies the sourcetype that I would like output to syslog. I have also tried host::* (and various iterations of server names), and source::tcp:5557 (the port that these particular entries are coming in on) to no avail.
The logs I am seeing on my syslog server include the logs I am looking for, but also have multiple entries such as:
<13>Audit:[timestamp=05-19-2010 14:52:32.090, user=admin, action=admin_all_objects, info=granted ][n/a]
Any ideas?
Thanks
Have you tried removing:
[syslog]
defaultGroup=logserver
from your outputs.conf?
As I read it and from my own experience it might change the behaviour from what you intend. Otherwise it looks good. If all else fails you can use REGEX = to negate certain log entries.
definitely not, just raw TCP stream -> splunk -> syslog
Am I reading this correctly in that you are doing Server -> Syslog -> Splunk Forwarder -> Syslog -> Splunk Indexer?
Had the same problem. If you are using a regular forwarder (not a lightweight), you need to configure the indexer to receive the data using splunktcp instead of tcp. You can either user the default splunktcp port 9997, or add a new one. To add a new splunktcp to the indexer, navigate to: Manager >> Forwarding and Receiving >> Receive Data >> add new. Specify the port number. You will need to configure the forwarder to set sourcetype.
From the input.conf documentation
[splunktcp://:]
* This is the same as TCP, except the remote server is assumed to be a Splunk server.
Worked for me!
Correction: Events coming from either normal splunk forwarders or lightweight splunk forwarders should both be received using the splunktcp
input.