Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why is our third party logstash only receiving half of logs forwarded from Splunk?

thezero
Path Finder
‎10-26-2016 09:51 AM

Hi Team,

We are currently forwarding Windows logs to third party siem and logstash but there is problem. Looks like third party receiving receiving only 50% of logs although we are forwarding all logs. Firewall rules are in place to forward and receive logs.

Data flow is as below:

Splunk Universal forwarder --->Splunk HWF ---->Third party using UDP via syslog.

We are using below config:

outputs.conf

[tcpout:syslog]
server = destination host:port

props.conf

[windows]
TRANSFORMS-forward = windows

transforms.conf

[windows]
REGEX = .
DEST_KEY=_TCP_ROUTING
FORMAT=syslog

Am I missing something?

What difference will it make if i add below config?

sendCookedData=false.

Are there any limitations on how much data we forward via UDP? We are trying to send almost few MBlogs per second.

There are no errors in splunkd logs or metrics.log

Please advise.

0 Karma
Reply

koshyk
Super Champion
‎10-27-2016 10:35 PM

in your props.conf, [windows]
I hope that's something you defined? can u ensure that [windows] contain all the eventogs? [WinEventLog:Security], [WinEventLog:Application], [WinEventLog:System] etc..

0 Karma
Reply

thezero
Path Finder
‎11-07-2016 05:23 AM

HI Koshyk,

Thanks for the suggestion.I have added [WinEventLog:Application], [WinEventLog:System] to config but their overall count as comapare dto security logs is 1% only..so issue stil continues i.e. stilwe are receiving 505 logs at third party 😞

0 Karma
Reply

dwaddle
SplunkTrust
SplunkTrust
‎10-27-2016 10:08 PM

Are you sure this is UDP syslog? It looks more like TCP. I would not be surprised if the HWF's Output Queues are becoming full, blocking, and dropping some data.

0 Karma
Reply

thezero
Path Finder
‎10-28-2016 03:48 AM

Hi Dwaddle,

Yes. I am sure it's UDP syslog.At the destination we are listening for UDp traffic only.We are receiving the UDP traffic at destination.The problem is we receiving approximately 50% of logs .I also searched for any logs with keyword blocked=true (metric.log in SPlunk),but no results.

Regards,
Thezero

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...