Here is my setup on my Heavy Forwarder
**inputs.conf**
[udp://:514]
sourcetype = syslog
connection_host = ip
disabled = 0
[tcp://:514]
sourcetype = syslog
connection_host = ip
disabled = 0
**outputs.conf**
[tcpout]
defaultGroup = indexers
[tcpout:indexers]
server = < ip-address >:9997, < ip-address >:9997
However, on my indexers, I'm only able to see source tcp:514. My UDP syslogs are not being indexed.
Any idea where went wrong?
**EDIT (resolved):**
Just to update, configured my props.conf and solve the issue
Old configuration:
[host::10.1.1.1]
TRANSFORMS-change = change
Corrected configuration:
[source::udp:514]
TRANSFORMS-change = change
Hope this might be useful to anyone who is trying to achieve something similar to what i'm trying
↧
