Hi Forum,
I currently searching way to duplicate data coming in from the universal forwarder to a intermediate heavy forwarder into a 3rd party syslog.
Meaning i want to index data into splunk and concurrently send them to the 3rd party syslog using UDP(!).
The only working configuration I found is to create a new tcp input at the intermediate heavy forwarder and create a new sourcetype. for this new sourcetype.
The _SYSLOG_ROUTING will be set to the UDP target. The whole configuration seems to be a bit complicated and hard to debug. Is there a easier way to duplicate data? In this configuration samplesourcetype is the incoming sourcetype.
**props.conf:**
[samplesourcetype]
TRANSFORMS-routing=duplicate_data_local
[samplesourcetype_rerouting]
TRANSFORMS-routing=routetosyslog
**transforms.conf:**
[duplicate_data_local]
REGEX=.+
DEST_KEY = _TCP_ROUTING
FORMAT = defaultgroup, dataduplication
[routetosyslog]
REGEX=.+
DEST_KEY = _SYSLOG_ROUTING
FORMAT = externalsyslog
**outputs.conf:**
[tcpout:dataduplication]
disabled = false
server = 127.0.0.1:5001
sendCookedData = false
[syslog:externalsyslog]
server = 10.1.1.70:514
type = udp
priority = NO_PRI
syslogSourceType = "iHF"
dropEventsOnQueueFull = 15
maxEventSize = 1024
**inputs.conf:**
[tcp://5001]
sourcetype = samplesourcetype_rerouting
acceptFrom = 127.0.0.1/8
Thanks for you help in advance!
Andreas
↧