On the other side, the same instance forwards events to a third-party syslog server. In the diagram, Splunk Enterprise listens on a UDP network port and indexes incoming events. The following diagram shows how Splunk Enterprise moves two syslog messages from one syslog server to another. Splunk Cloud Platform isn't able to send syslog events to another downstream syslog server. The following section applies to Splunk Enterprise only. How Splunk Enterprise moves syslog events when you configure it to use syslog source type You do this as part of modifying the data as it leaves the Splunk Enterprise instance.įor information on configuring routing, filtering, and usage of source types, see Route and filter data in the Splunk Enterprise Forwarding Data manual and the nf spec file in the Admin Manual. You can also prepend a timestamp and host name to the event at the time you forward the event to the syslog server. When the event reaches the downstream syslog server, that machine prepends a timestamp, priority, and connected host name, which is the Splunk Enterprise instance, to the event. When it does, it prepends the priority information to the event so that the downstream syslog server can translate the events properly. Splunk Enterprise can forward events to another syslog server. Neither Splunk Cloud Platform nor the universal forwarder has the capability to forward events to another syslog server. The follow section applies to Splunk Enterprise only. How Splunk Enterprise handles syslog outputs One TCP source stream will be assigned to one data pipeline and any others, so you should adjust for scalability. It does, however, prepend a host name and timestamp to the event unless you configure it not to. If you send syslog data over TCP, the platform does not strip priority information from the events. The Splunk platform does not modify Transmission Control Protocol (TCP) network packets in this fashion. When you configure a universal forwarder to send data to Splunk Cloud Platform, Splunk Cloud Platform indexes the fields as it receives them from the universal forwarder. The platform prepends these fields to each event before it indexes them. When you configure a UDP network input to listen to a syslog-standard data stream on Splunk Enterprise or the universal forwarder, any syslog events that arrive through the input receive a timestamp and connected host field. How the Splunk platform handles syslog inputs Splunk Cloud Platform cannot send syslog messages, nor can it move messages from one device to another. Splunk Enterprise can also act as a syslog message sender. Splunk Enterprise indexers can act as syslog servers that handle incoming data streams that comply with the syslog messaging standard. If you run Splunk Cloud Platform, you can configure the Splunk universal forwarder to listen on a User Datagram Protocol (UDP) network port and forward that data to your Splunk Cloud Platform deployment. How the Splunk platform handles syslog data over the UDP network protocol
0 Comments
Leave a Reply. |