Unable to forward syslogs coming in from UDP:514

xrtan · ‎01-18-2016

Here is my setup on my Heavy Forwarder

inputs.conf

[udp://:514]
sourcetype = syslog
connection_host = ip
disabled = 0
[tcp://:514]
sourcetype = syslog
connection_host = ip
disabled = 0

outputs.conf

[tcpout]
defaultGroup = indexers
[tcpout:indexers]
server = < ip-address >:9997, < ip-address >:9997

However, on my indexers, I'm only able to see source tcp:514. My UDP syslogs are not being indexed.

Any idea where went wrong?

EDIT (resolved):
Just to update, configured my props.conf and solve the issue

Old configuration:
[host::10.1.1.1]
TRANSFORMS-change = change

Corrected configuration:
[source::udp:514]
TRANSFORMS-change = change

Hope this might be useful to anyone who is trying to achieve something similar to what i'm trying

alemarzu · ‎01-19-2016

Xrtan,

You did not specified index on each input stanza. Did you enable receiving port 9997 on the Indexer ?

xrtan · ‎01-19-2016

Hi alemarzu, the event are going into default index main. 9997 is enabled on indexer too.
The indexer is indexing events from tcp:514 but not udp:514.

alemarzu · ‎01-20-2016

Did you tried to search those events directly on the Heavy Forwarder first ? (udp:514)
What about rules on your firewall, did you check them ?

xrtan · ‎01-22-2016

if i were to use indexandForward it will be able to index, however not able to send out.
Firewall has been turned off. Anyhow, i've figured out what went wrong. Thanks for the help, cheers.

alemarzu · ‎01-22-2016

Great xrtan, do you mind sharing the answers, it may help other members.

Unable to forward syslogs coming in from UDP:514

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!