Forwarding data from Heavy forwarder to syslog ser...

eorMsisseL · ‎11-21-2020

We're trying to do:

Collect Event Log by REST input on Splunk Enterprise 8.1 --> HF (v8.1 on Windows) --> external Syslog destination.

The logs forwarded from splunk are available on the syslog server and contain the logs we need, but they also contain many audit logs from splunk itself.
No matter how much we modify output.conf we cannot change this.
What do we need to configure in order to filter the audit logs of splunk itself?

Thanks.

Here is the config:

C:\Program Files\Splunk\etc\apps\SplunkForwarder\default\

outputs.conf

[syslog]
defaultGroup = vco_event_group
priority = NO_PRI
syslogSourceType = sourcetype::vco_event_log

[syslog:vco_event_group]
server = 172.16.36.251:5140

props.conf

[vco_event_log]
TRANSFORMS-vco_event_log = vco_to_syslog

transforms.conf

[vco_to_syslog]
DEST_KEY = MetaData:Sourcetype
REGEX = vco_event_log
FORMAT = vco_event_group

Audit log on Syslog Server

Syslog

log we needed

event info.

Event Info

to4kawa · ‎11-24-2020

https://community.splunk.com/t5/Getting-Data-In/Filtering-events-using-NullQueue/m-p/66392

How about just sending the audit log to the null queue?

Forwarding data from Heavy forwarder to syslog server exclude audit.log

heavy forwarder

modular input

Windows

A Guide To Cloud Migration Success

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!