- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Forward specific syslog message to another system
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Forward specific syslog message to another system
Hi,
I have splunk v5.0 running on RHEL and I want to forward all syslog messages %SYS-CONFIG-5 events from splunk to another system. I've been looking through the forum and have seen light/heavy forwaders etc and also seen about editing outputs.conf file. I'm not sure how to specifically go about doing this.
If someone can help, I'd appreciate it.
Thanks,
Neil
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Guys - thanks for your comments up to now, I've managed to get back to this.
So I've configured as per below but it's still not working, and I've no idea where to start looking for the reason why? I've also enabled the heavyforwarder. I'd appreciate some guidance, even if you just tell me where to look for some clues?
.................................................
outputs.conf
[syslog:MY_GROUP]
disabled = false
server =
.................................................
props.conf
[syslog]
TRANSFORMS-fwdsyslog = send_to_ncm
.................................................
transforms.conf
[send_to_ncm]
REGEX = SYS-5-CONFIG
DEST_KEY = _SYSLOG_ROUTING
FORMAT = MY_GROUP
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
THanks, I've actually tried it both ways, neither would work but I'm trying to match SYS-5-CONFIG just so I can initiate a config pull based on in. I don't need everything.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In your _raw data SYS-5-CONFIG is in every event? Why not just use REGEX = ., this regex will grab every syslog event. Everything else looks fine.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The full install of Splunk contains the Light Forwarder and Heavy Forwarder. Run ./splunk help if you see Splunkd and splunk web listed in status you have a full install, else its a UF. To check if HF or LF is enabled type ./splunk display app. If you see SplunkForwarder Enabled you have a HF or SplunkLightForwarder Enabled you have a LF.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
There is a possiblity that you don't have a forwarder AT ALL, but rather a standalone splunk indexer.
See this for info on where you can configure stuff.
http://wiki.splunk.com/Where_do_I_configure_my_Splunk_settings
PS. A Lightweight Forwarder is an older form of forwarder, now deprecated in favour of Universal Forwarder
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You should know what you installed 🙂
There are two options, either you have a Universal Forwarder (no gui, no local indexing of events, located in /opt/splunkforwarder OR c:\program files\splunkuniversalforwarder)
OR
a Heavy Forwarder, which is a regular Splunk instance which has been configured to forward incoming events (and possibly index them locally as well). GUI may optionally be turned off.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks guys, but how do I know if I have a heavy forwarder or not?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you want to forward a subset of data to Splunk and a thirdpart you will have to use a concept called data routing and filtering. To acomplishing this you need a Heavy forwarder Installed instead of a Universal or Light Forwarder by editing outputs.conf, props.conf, and transforms.conf. By doing this you are sending raw syslog data to the another system.
If you have an Network like appliance you can have two syslog recepients list.
Additional Reading:
- Forwarddatatothird-partysystemsd - Read Section called "Send a subset of data to a syslog server"
- plunk-disaster-recovery?page=1&focusedAnswerId=60613#60613
Hope this helps or gets you started. Don't forget to accept and/or vote up answers.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You need the Heavy forwarder to be able to do this. The universal forwarder does not inspect events so you would not be able to forward based on a condition in the event.
The basic steps are:
1. Configure outputs.conf with the remote system. Don't set a default group, so by default you don't forward
2. Configure props.conf to run a transform for syslog source
3. Configure transforms.conf to set TCP routing when your condition is met
See the doco
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Routing logs with Splunk OTel Collector for Kubernetes
Welcome to the Splunk Community!
Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM
