How to let splunkforwarder transfering by UDP 514

sycross · ‎10-03-2012

Hi

I have the question about splunkforwarder , so hope someone can help me !

First ,
I successfully used to transfer logs , as follows

/opt/splunkforwarder/etc/system/local/inputs.conf
[default]
host = 10.10.203.1

[monitor:///var/log/httpd/access_log]
disabled = 0
sourcetype = http_access_log

/opt/splunkforwarder/etc/system/local/outputs.conf
[tcpout]
defaultGroup = 10.10.203.7_9997

[tcpout:10.10.203.7_9997]
server = 10.10.203.7:9997

[tcpout-server://10.10.203.7:9997]

But if i want to change to UDP 514 , i search and read documents, i cant understand how to do it correctly .

Second ,
I read the http://docs.splunk.com/Documentation/Splunk/5.0/SearchReference/Outputtext, but where to use the syntax of outputtext , command or others ?

--
best regards,

cross

Ayn · ‎10-03-2012

I think you're confusing concepts quite a bit here. Outputtext is a command used in searches that does something else entirely.

Light and universal forwarders cannot send syslog data. More information in the syslog part of the outputs.conf documentation here: http://docs.splunk.com/Documentation/Splunk/5.0/Admin/Outputsconf

Ayn · ‎10-04-2012

As I said in my answer above, you can NOT use your forwarder for sending syslog data.

sycross · ‎10-04-2012

Another sample as follows,

/opt/splunkforwarder/etc/system/local/outputs.conf
[syslog]
defaultGroup = 10.10.203.7_514

[syslog:10.10.203.7_514]
server = 10.10.203.514
type = udp

I want to transfer the client's logs to server' s udp 514 port,
but the server does not receive any logs from client's.

client -------------> server:514

Can splunk be ?