I setup syslog output forwarding per the Splunk docs, but am not seeing anything being sent out nor receiving it on the endpoint.
Here is what I have applied on the heavyforwarder outputs.conf
[tcpout]
defaultGroup = indexer_group,forwarders_syslog
useACK = true
[tcpout:indexer_group]
server = indexer_ip_address:indexer:port
clientCert = xxxxxxxx
maxQueueSize = 20MB
sslPassword = xxxxxxxxx
[tcpout:forwarders_syslog]
server = syslog_ip:syslog_port
clientCert = xxxxxxx
maxQueueSize = 20MB
sslPassword = xxxxxxxx
blockOnCloning = false
dropClonedEventsOnQueueFull = 10
useACK = false
**Note :-**
The configuration for forwarding the data to syslog can be found under [tcpout:forwarders_syslog]
The following errors are found on splunkd.log when the heavy forwarder trying to forward the logs to syslog server
WARN TcpOutputProc - Cooked connection to ip=syslog_ip:syslog_port timed out
ERROR TcpOutputFd - Connection to host=syslog_ip:syslog_port failed
WARN TcpOutputFd - Connect to syslog_ip:syslog_port failed. Connection refused
Also I do not see any connection issues when I'm trying to trouble shoot as follows :-
**In heavy forwarder :-**
Tried to telnet to the syslog server from heavyforwarder with the specified port and see that it's got conected.
**In receiving server**
netstat -tnlp | grep rsyslog
Tried the above and see that the specified port in Heavy forwarder is listening in TCP
Not sure where and what else should I be checking to transfer the data whatever the heavyforwarder is currently transffering to Indexer also to a syslog server.
↧