Hi Team,
We are currently forwarding Windows logs to third party siem and logstash but there is problem. Looks like third party receiving receiving only 50% of logs although we are forwarding all logs. Firewall rules are in place to forward and receive logs.
Data flow is as below:
Splunk Universal forwarder --->Splunk HWF ---->Third party using UDP via syslog.
We are using below config:
**outputs.conf**
[tcpout:syslog]
server = destination host:port
**props.conf**
[windows]
TRANSFORMS-forward = windows
**transforms.conf**
[windows]
REGEX = .
DEST_KEY=_TCP_ROUTING
FORMAT=syslog
Am I missing something?
What difference will it make if i add below config?
sendCookedData=false.
Are there any limitations on how much data we forward via UDP? We are trying to send almost few GB logs per second.
There are no errors in splunkd logs or metrics.log
Please advise.
↧