Forward in syslog or HTTP formats
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Forward in syslog or HTTP formats
This topic explains how to set up a Splunk forwarder to send data in standard syslog or HTTP format.
When configured this way, Splunk sends the data through a separate output processor. Splunk forwards RFC 3164 compliant events from any platform to a TCP/UDP based server and port, making the payload of any non-compliant data RFC 3164 compliant. You can specify any of the following:
- TCP priority (combination of facility and severity)
- Ability to specify regex and forward only the data that matches regex via props/transforms
- Filter what is sent by source type, or other meta data, again via props/transforms.
- Mandatory truncating of data to 1024 (to comply with RFC 3164)
To set this up, you must first identify the system or systems to which the Splunk forwarder will send syslog or HTTP formatted data, and add them to a target group that you define in $SPLUNK_HOME/etc/system/local/outputs.conf on the forwarder.
Note: If you have defined multiple event types for syslog data, the event type names must all include the string 'syslog' or this feature will not work.
############ #----Syslog output---- ############ # The following configuration is used to send output using syslog [syslog:$TARGET_GROUP] attribute1 = val1 attribute2 = val2 ... #----REQUIRED SETTINGS---- # Required settings for syslog output: server = ip/servername:<port> * IP or servername where syslog server is running * Port on which syslog server is listening. * There is no default value. You must specify a port. Syslog, by default, uses 514. #----OPTIONAL SETTINGS---- # Optional settings for syslog output: type = tcp | udp * Protocol used. If type is not specified, default is udp. priority = <ddd> * ddd is value that will appear as <ddd> in the syslog header * Users should compute ddd as (<facility> * 8) + <severity> * If facility is 4(security/authorization messages) and severity is 2 (Critical: critical conditions), priority value will be 34 = (4 * 8) + 2. * TODO: default = ? syslogSourceType = <string> * string representing sourceType for syslog. * In absense of this atrribute, "sourcetype::syslog" is assumed as the source type for syslog message timestampformat = <%b %e %H:%M:%S> * If specified, the format is used when adding timestamp into header * TODO: default = ? ############ #----HTTP output---- ############ # The following configuration is used to send output via http: [httpoutput:$TARGET_GROUP] attribute1 = val1 attribute2 = val2 ... #----REQUIRED SETTINGS---- # Required settings for HTTP output: username = <username> * username used to authenticate against splunk indexer password = <password> * password used to authenticate against splunk indexer server = ip/servername:port * ip/servername of splunk receiver * port that splunk receiver is listening on #----OPTIONAL SETTINGS---- # Optional settings for HTTP output: ssl = true | false * Set SSL for HTTP output. * Defaults to true.
Example
Send a subset of data to syslog
This example shows how to forward a subset of your data from Splunk to a third party system that accepts syslog protocol data. Here we're going to configure Splunk to forward data from hosts whos hostnames begin with nyc to our remote syslog server loghost.example.com:514.
1. First, edit props.conf and transforms.conf to specify which data to send to the non-Splunk system.
In props.conf, apply the send_to_syslog transform to all hostnames beginning with nyc:
[host::nyc*] TRANSFORMS-nyc = send_to_syslog
In transforms.conf, use the REGEX key to define a regular expression that identifies the specific events you want to send (in this case everything), the FORMAT key to set the target output group (in this case: my_syslog_group) and use the DEST_KEY key to specify that we want to use syslog routing: _SYSLOG_ROUTING
[send_to_syslog] REGEX = .* DEST_KEY = _SYSLOG_ROUTING FORMAT = my_syslog_group
2. Next, define the target output group in outputs.conf:
[syslog:my_syslog_group] disabled = false server = loghost.example.com:514
3. Restart Splunk. That's it. Now any data coming in from hosts nyc1.example.com, nyc-a.example.com, and so on, will be forwarded to our non-Splunk syslog server loghost.example.com:514.
This documentation applies to the following versions of Splunk: 4.0 , 4.0.1 , 4.0.2 , 4.0.3 , 4.0.4 , 4.0.5 , 4.0.6 , 4.0.7 , 4.0.8 , 4.0.9 , 4.0.10 , 4.0.11 View the Article History for its revisions.