I've recently inherited an old Splunk installation, and I'm in the process of migrating it over to a new updated instance. One of my issues is they have a syslog server that is collecting logs from the firewall and other devices and forwarding that to the old Splunk instance, which appears to be working as expected.
I want to forward that data to the new instance, however, I'm not seeing where they are monitoring those specific log files at, which the Syslog server is dumping that data into specific text files on a different partition. I've reviewed the server .conf file, and it shows the old Splunk instance IP, however, the inputs config file does not have any references to monitoring anything other than Windows event logs. I've also reviewed the default inputs .conf file, and again, nothing specific regarding the universal forwarder monitoring and forwarding the data.
If I change the IP in the server .conf file to the new instance, the data is forwarded, but I'm not sure how it's actually doing that.
Any suggestion on where I should be looking at or how this is being forwarded?
Thanks,
Bob
... View more