Hi,
I need to change a bit of my Splunk architecture and split the data output as follows:
1. Forward from Heavy Forwarder to Splunk Indexer
2. Forward from the same Heavy Forwarder to a Syslog server.
The first one is easy to do, but the problem is with the second one. My server receives events which are on multiple lines (e.g. Windows Event Logs) and I need to forward them to a syslog server as single line events as a cheaper backup.
How do I get the logs to forward "blindly" to one Splunk server while parsing them into one line and forwarding them to another non-splunk server?
Thanks!
Ken
↧