- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- syslog data sent across forwarders and multiple in...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
syslog data sent across forwarders and multiple indexers
I tried to do this
Send syslog data from a network device (on port: 514) to a Universal Forwarder listening on port: 514 irrespective of (ANY) host's IP -> indexer listening on port 20980 -> to another Universal Forwarder listening 20981 -> to a Syslog-NG server listening for all audit data from splunk and syslog data.
the mode of travel goes like this
__Multiple syslog data_ > UF > Indexer > UF > Syslog-NG_
the data traverses over this many system as they are in different network zones with the final Syslog-NG server there being a Vendors' component. I have ensure that the Last Syslog server is receiving all my splunkd and other splunk's logs from all the components, but i cannot get the Multiple syslog data (on port:514) to send over to the final Syslog-NG server.
What do i have to do to troubleshoot it?
I've created a similar setup which vary slightly from the top to narrow down the problem.
Multiple syslog data (on port:514) -> Syslog Indexer -> UF -> Syslog-NG_
Do note that the last Syslog-NG server is the same as the one as the top. This setup apparently is sending out all the splunkd and other splunk logs out properly, on top of that the syslog data is going over correctly.
Can anyone please show me the way forward? I thank you in advance for your kind assistance.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
the 2nd (similar) setup is working when sending to splunk. but the 1st example is not transmitting. Multiple syslog data as in e.g network appliances which transmits only on UDP://514 or UDP only traffic streams.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Have you run tcpdump or some other utility to verify that the last Universal Forwarder listening 20981 is actually forwarding the syslog data to your syslog endpoint?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It could help if you explained more not just about the setup, but also the problem? What do you mean by multiple syslog data? What's the expected outcome and how does it not work?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Help please, if anyone know?
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
