Refine your search:

How do I Configure the Universal Forwarder to send UnCooked Data?

0
1

We have a Universal Forwarder on a Domain Controller (DC) that is forwarding all the local logs to a 4.1.7 Forwarder. The 4.1.7 Forwarder is then sending the logs to an Indexer, as well as an IDS via syslog. This 4.1.7 Forwarder is also collecting tons of WMI logs which are being observed on both the Indexer and IDS.

We are seeing the DC logs come across to the indexer however we are not seeing any of the DC logs go to the IDS. As the Universal Forwarder sends cooked data I tried setting cooked data to false:

This is the Universal Forwarder config. /etc/system/local/outputs.conf

[tcpout]
defaultGroup = splunk02..._9998
disabled = false
indexAndForward = 0

[tcpout:splunk02..._9998]
server = splunk02...:9998

[tcpout-server://splunk02...:9998]
sendCookedData=false

After this change I was still able to observe DC logs on the Indexer however none on the IDS. For troubleshooting purposes i installed a LightForwarder on the DC and was able to see DC logs on both the Indexer and the IDS. This leads me to believe that the data is getting cooked by the Universal Forwarder. Anyone have any ideas on how to make the Universal Forwarder send data unCooked or see what im doing wrong here?

Here is the config on the 4.1.7 Forwarder /etc/system/local

outputs.conf

[tcpout]
disabled = false
indexAndForward = false

[syslog:my_syslog_group]
disabled = false
server = 10.x.x.x:514
type = udp
sendCookedData = false

props.conf

[host::*]
DATETIME_CONFIG = NONE
TRANSFORMS-ROUTING = send_to

transforms.conf

[send_to_AG]
REGEX = .
DEST_KEY = _SYSLOG_ROUTING
FORMAT = my_syslog_group

Thanks, I-Man

asked 13 Apr '11, 15:25

I-Man's gravatar image

I-Man
2073319
accept rate: 24%

edited 15 Aug '11, 10:29

2 Answers:
oldestnewestmost voted
0

An upgrade resolved the issue.

link

answered 22 Sep '11, 12:41

I-Man's gravatar image

I-Man
2073319
accept rate: 24%

2

Hi I-Man

Have you tried the following stanza in outputs.conf?

[tcpout-server://splunk02...:9998]
server = 10.255.4.213:514
sendCookedData=false

I am just basing that off the documentation for forwarding data found here. I am not entirely certain how you want to send data but if its a subset of syslog data then you may be interested in the section near the end (found here)

link

answered 13 Apr '11, 19:08

Rob's gravatar image

Rob ♦
1.5k412
accept rate: 27%

No luck but thanks for the suggestion. I spoke with Splunk support regarding this and their best guess was that there is an issue with the 4.2 UF sending to the 4.1.7 forwarder. They suggested that I upgrade the forwarders when 4.2.1 is available in a week or two and see if that works.

(13 Apr '11, 20:59) I-Man
Post your answer
toggle preview

Follow this question

Log In to enable email subscriptions

RSS:

Answers

Answers + Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

learn more about Markdown

Tags:

×294
×2

Asked: 13 Apr '11, 15:25

Seen: 2,179 times

Last updated: 22 Sep '11, 12:41

Related questions

Universal forwarder sending "Cooked" data to indexer

How can i configure input/output on universal forwarder

Configure input.txt Universal forwarder

Universal Forwarder

Can't get UF to translate cooked to plain old syslog

Universal Forwarder to Universal Forwarder to Indexer

Configure input.conf for universal forwader

Universal Forwarder send syslog to a thrid party

Configure universal forwarder to send all logs to a specific index regardless of what logs are being ingested

Copyright © 2005-2012 Splunk Inc. All rights reserved.