|
First of all, can UF's send syslog to a third party? The documentation says, "You can configure a forwarder" but does not specify. It also says "You can also filter the data with props.conf and transforms.conf (heavy forwarder only)". That is NOT what i want to do. The UF is already forwarding to an Indexer, now i need it to send everything to a third party IDS via syslog. I've tried variations of the example here but haven't had any luck. I think my main issue is not fully understanding the relationship between props, transforms, and outputs. outputs.conf I need to send everything to the IDS and don't want to do any filtering, therefore i don't think i need a transform. But do i still need to make a group in props? Thanks |
|
Please read this, Forward Data to Third Party. Yeah, that's the link i included in my question. What would the target group be? How do I specify the target group?
(16 Aug '11, 06:08)
I-Man
|
|
What about putting an outputs.conf on the indexers to forward data out VIA syslog. The universal forwarders don't do any filtering or anything, and might not even be capable of doing syslog output. Thanks for the response. Setting an outputs.conf on the Indexer is an option, but wanted to explore this first as it could reduce cpu/bandwidth on the Indexer. Once again, the Doc doesn't explicitly say that UF does not send syslog. It only says that you need a heavy forwarder to do any filtering which I am not trying to accomplish.
(16 Aug '11, 12:09)
I-Man
|
