Splunk Search

Unable to forward syslog to third-party syslog server

forrest_NUS
New Member

I have an all-in-one environment, which indexed VPN logs. I also want to forward the vpn raw logs to the third party syslog servers.
I have configured outputs, transforms, and props as the snapshot, however, It cannot forward any log out.

09-18-2017 17:45:02.632 +0800 INFO Metrics - group=syslog_connections, vpnsyslog:172.18.165.144:514:172.18.165.144:514, sourcePort=8089, destIp=172.18.165.144, destPort=514, _tcp_Bps=0.00, _tcp_KBps=0.00, _tcp_avg_thruput=0.00, _tcp_Kprocessed=0, _tcp_eps=0.00

Anything wrong with my configuration?

Tags (1)
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi forrest_NUS,
did you disabled local Firewall on these ports?
Bye.
Giuseppe

0 Karma

forrest_NUS
New Member

Hi Cusello,

The firewall is enabled.

I added default group in the outputs.conf, and it forwarded all logs to the third-party Syslog server.
However, my requirement is just forward selected source type to third-party.
My previous outputs.conf was like following:
[syslog]
defaultGroup = vpnsyslog

[syslog:vpnsyslog]
server = 172.18.165.144:514

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi forrest_NUS,
If firewall must remain enabled you have to configure it to open the port 514.
Only for test, try to disable firewall and check if it's ok, then try to open Port 514.

If the problem will remain, test all connections between Indexer and third party server using telnet 172.18.165.144 514

If it's still OK, verify with with tcpdump if there's traffic between Indexer and third party server.
You could also verify using some tool to send a syslog to third party, in this way you can exclude connections issues and eventually search Splunk configuration problems.

I suggest to verify connections because your Splunk configuration seems to be ok.

Anyway problem is often local or remote firewall!

Bye.
Giuseppe

0 Karma

forrest_NUS
New Member

Hi Giuseppe,

Thanks for your kindly reply.
I have verified the udp connection, and it's Okay.

The issue became when I remove the defaultGroup in the outputs.conf, then no sysslog send out,
If I keep the defaultGroup, then all logs would send to the third-party, however, I just want to send selected source type logs to the third party.

Regards,
Forrest

0 Karma

gcusello
SplunkTrust
SplunkTrust

Only one final test: in props.conf try to modify stanza: when you use sourcetype you can directly insert sourcetype:

[juniper:sslvpn]
TRANSFORMS-syslog = syslog-out

Bye.
Giuseppe

0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...