Here is my setup on my Heavy Forwarder
inputs.conf
[udp://:514]
sourcetype = syslog
connection_host = ip
disabled = 0
[tcp://:514]
sourcetype = syslog
connection_host = ip
disabled = 0
outputs.conf
[tcpout]
defaultGroup = indexers
[tcpout:indexers]
server = < ip-address >:9997, < ip-address >:9997
However, on my indexers, I'm only able to see source tcp:514. My UDP syslogs are not being indexed.
Any idea where went wrong?
EDIT (resolved):
Just to update, configured my props.conf and solve the issue
Old configuration:
[host::10.1.1.1]
TRANSFORMS-change = change
Corrected configuration:
[source::udp:514]
TRANSFORMS-change = change
Hope this might be useful to anyone who is trying to achieve something similar to what i'm trying
Xrtan,
You did not specified index on each input stanza. Did you enable receiving port 9997 on the Indexer ?
Hi alemarzu, the event are going into default index main. 9997 is enabled on indexer too.
The indexer is indexing events from tcp:514 but not udp:514.
Did you tried to search those events directly on the Heavy Forwarder first ? (udp:514)
What about rules on your firewall, did you check them ?
if i were to use indexandForward it will be able to index, however not able to send out.
Firewall has been turned off. Anyhow, i've figured out what went wrong. Thanks for the help, cheers.
Great xrtan, do you mind sharing the answers, it may help other members.