How to configure Universal and Heavy forwarders to...

pdherna1 · ‎03-04-2013

I have the following config:

1 Splunk Indexer
1 Universal Forwarder
1 Heavy Forwarder

Here is what is working...

I have the Splunk indexer receiving syslog information directly over UPD:514.
I have the Splunk indexer also setup as a receiver.
- Currently receiving syslog data via port 9997 from the Universal and Heavy forwarders.

I am trying (unsuccessfully) to split VMware and Cisco syslogs being sent to either, the Universal or Heavy forwarder, and then route this data to their (VMware and Network) respective indexes on the Splunk indexer.

I've tried the following config files on both forwarders.

inputs.conf

[default]
host = server27

[udp://:514]
index=test

props.conf

[syslog]

TRANSFORMS-index = VMredirect,network

transforms.conf

[VMredirect]
REGEX = (partial hostname).*lyondell
DEST_KEY = _MetaData:Index
FORMAT = vmware

[Network]
REGEX = %s(ys|nmp)-
DEST_KEY = _MetaData:Index
FORMAT = network

outputs.conf

[tcpout]
defaultGroup = default-autolb-group

[tcpout:default-autolb-group]
server = receiverIP:9997

[tcpout-server://receiverIP:9997]

[syslog]
defaultGroup = default-syslog-group

[syslog:default-syslog-group]
server = receiverIP:9997

What am i doing wrong??

jonuwz · ‎03-04-2013

See this wiki to see where you should put your settings.

Universal forwarders can only mess with settings in the input stage. Your transforms will be ignored

Since you'll need to put the transforms on the indexer anyway, it makes sense to keep your transforms in one place and skip the transforms on the heavy forwarder too.

kenth · ‎03-20-2013

Can't you just set the index in inputs.conf ?

pdherna1 · ‎03-05-2013

1) OK, so i'm ruling out using the Universal forwarders.

2) The heavy forwarder does forward to the indexer. So you're saying that the props.conf and the transforms.conf on the indexer will filter and route the traffic from the heavy forwarder, so i only need those config files on the indexer, correct?

3) To be clear, i have the indexer listening on UPD:514 and devices (VMware hosts and cisco networking equipment)pointed to the splunk indexer as their syslog server. But for remote devices i have setup a Heavy forwarder to capture syslog traffic and forward to indexer (receiver).

jonuwz · ‎03-04-2013

The heavy forwarder forwards to the indexer too right ? The indexer will see the hostname, so your transforms will have the data they need to set the index.

(providing the data hits the indexer with a sourcetype of syslog)

When you say devices pointing directly at the indexer, do you mean via a universal forwarder ? (or a tcp input / files / listening on udp 514 ) ?

pdherna1 · ‎03-04-2013

Hmmmm, interesting cause i got the VMware traffic to redirect to its respective index on the Universal forwarder using the props and transforms.

So on your statement about placing the transorms in one place (indexer only)....how would I get the traffic coming from the Heavy forwarder split and indexed accordingly? Btw, i have devices pointing directly to the indexer and others pointing to the heavy forwarder.

How to configure Universal and Heavy forwarders to filter syslog data for VMware and Cisco traffic then route to their respective index?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life