Hello
I have this schema :
[syslog:received_514;forward_1514]
[SplunkUF:received_1514;forward_2000]
[SplunkUF2:received_2000;forward_3000]
[SplunkUF3:received_3000;forward_4000]
[Syslog:received_4000;forward_to_file]
With tcpdump on SplunkUF, I see the data arrived by syslog.
But, the splunk forward failed.
The configuration files are :
SplunkUF - inputs.conf:
# Default
[default]
index= default
_rcvbuf = 1572864
host = $decideOnStartup
[tcp://1514]
sourcetype = syslog
queueSize=1MB
persistentQueueSize=4GB
_TCP_ROUTING = syslog-src
[monitor://$SPLUNK_HOME/var/log/splunk]
index = _internal
disabled = true
SplunkUF - outputs.conf:
[tcpout]
backoffOnFailure = 5
channelReapInterval = 60000
channelReapLowater = 10
channelTTL = 60
compressed = true
defaultGroup = syslog-src
dnsResolutionInterval = 300
negotiateNewProtocol = true
readTimeout = 900
useACK = true
writeTimeout = 5
indexAndForward = 0
[tcpout:syslog-src]
server = SplunkUF2:2000
maxQueueSize = 10MB
dropEventsOnQueueFull = -1
SplunkUF2 - inputs.conf:
[default]
index= default
_rcvbuf = 1572864
host = $decideOnStartup
[splunktcp://2000]
compressed = true
connection_host = IP_SplunkUF
queueSize=1MB
persistentQueueSize=4GB
_TCP_ROUTING = syslog-src
[monitor://$SPLUNK_HOME/var/log/splunk]
index = _internal
disabled = true
SplunkUF2 - outputs.conf:
[tcpout]
backoffOnFailure = 5
channelReapInterval = 60000
channelReapLowater = 10
channelTTL = 60
compressed = true
defaultGroup = syslog-src
dnsResolutionInterval = 300
negotiateNewProtocol = true
readTimeout = 900
useACK = true
writeTimeout = 5
indexAndForward = 0
[tcpout:syslog-src]
server = SplunkUF3:3000
maxQueueSize = 10MB
dropEventsOnQueueFull = -1
SplunkUF3 - inputs.conf:
[default]
index= default
_rcvbuf = 1572864
host = $decideOnStartup
[splunktcp://3000]
compressed = true
connection_host = IP_SplunkUF2
queueSize=1MB
persistentQueueSize=4GB
_TCP_ROUTING = syslog-src
[monitor://$SPLUNK_HOME/var/log/splunk]
index = _internal
disabled = true
SplunkUF3 - outputs.conf:
[tcpout]
defaultGroup = syslog-src
indexAndForward = 0
[tcpout:syslog-src]
server = IP_Syslog:4000
sendCookedData = False
Someone have an idea ?
Thanks
... View more