Splunk Search

Forward specific syslog message to another system

nmobrien1977
Explorer

Hi,
I have splunk v5.0 running on RHEL and I want to forward all syslog messages %SYS-CONFIG-5 events from splunk to another system. I've been looking through the forum and have seen light/heavy forwaders etc and also seen about editing outputs.conf file. I'm not sure how to specifically go about doing this.

If someone can help, I'd appreciate it.

Thanks,
Neil

Tags (1)
0 Karma

nmobrien1977
Explorer

Hi Guys - thanks for your comments up to now, I've managed to get back to this.

So I've configured as per below but it's still not working, and I've no idea where to start looking for the reason why? I've also enabled the heavyforwarder. I'd appreciate some guidance, even if you just tell me where to look for some clues?

.................................................
outputs.conf
[syslog:MY_GROUP]
disabled = false
server = :514

.................................................

props.conf
[syslog]
TRANSFORMS-fwdsyslog = send_to_ncm
.................................................

transforms.conf
[send_to_ncm]
REGEX = SYS-5-CONFIG
DEST_KEY = _SYSLOG_ROUTING
FORMAT = MY_GROUP

nmobrien1977
Explorer

THanks, I've actually tried it both ways, neither would work but I'm trying to match SYS-5-CONFIG just so I can initiate a config pull based on in. I don't need everything.

0 Karma

bmacias84
Champion

In your _raw data SYS-5-CONFIG is in every event? Why not just use REGEX = ., this regex will grab every syslog event. Everything else looks fine.

0 Karma

bmacias84
Champion

The full install of Splunk contains the Light Forwarder and Heavy Forwarder. Run ./splunk help if you see Splunkd and splunk web listed in status you have a full install, else its a UF. To check if HF or LF is enabled type ./splunk display app. If you see SplunkForwarder Enabled you have a HF or SplunkLightForwarder Enabled you have a LF.

kristian_kolb
Ultra Champion

There is a possiblity that you don't have a forwarder AT ALL, but rather a standalone splunk indexer.

See this for info on where you can configure stuff.

http://wiki.splunk.com/Where_do_I_configure_my_Splunk_settings

PS. A Lightweight Forwarder is an older form of forwarder, now deprecated in favour of Universal Forwarder

kristian_kolb
Ultra Champion

You should know what you installed 🙂

There are two options, either you have a Universal Forwarder (no gui, no local indexing of events, located in /opt/splunkforwarder OR c:\program files\splunkuniversalforwarder)

OR

a Heavy Forwarder, which is a regular Splunk instance which has been configured to forward incoming events (and possibly index them locally as well). GUI may optionally be turned off.

nmobrien1977
Explorer

Thanks guys, but how do I know if I have a heavy forwarder or not?

0 Karma

bmacias84
Champion

If you want to forward a subset of data to Splunk and a thirdpart you will have to use a concept called data routing and filtering. To acomplishing this you need a Heavy forwarder Installed instead of a Universal or Light Forwarder by editing outputs.conf, props.conf, and transforms.conf. By doing this you are sending raw syslog data to the another system.

If you have an Network like appliance you can have two syslog recepients list.

Additional Reading:

  1. Forwarddatatothird-partysystemsd - Read Section called "Send a subset of data to a syslog server"
  2. plunk-disaster-recovery?page=1&focusedAnswerId=60613#60613

Hope this helps or gets you started. Don't forget to accept and/or vote up answers.

datasearchninja
Communicator

You need the Heavy forwarder to be able to do this. The universal forwarder does not inspect events so you would not be able to forward based on a condition in the event.

The basic steps are:
1. Configure outputs.conf with the remote system. Don't set a default group, so by default you don't forward
2. Configure props.conf to run a transform for syslog source
3. Configure transforms.conf to set TCP routing when your condition is met

See the doco

0 Karma

kristian_kolb
Ultra Champion
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...