Skip to content

Splunk

This guide explains how to configure Splunk to forward logs to a designated Syslog endpoint. Splunk Forwarders can be configured to send data directly to an external Syslog server, enabling integration with third-party services.

Prerequisites

  • Splunk Enterprise installation or Splunk Universal Forwarder setup.
  • Administrative access to the Splunk Web interface or CLI.
  • The Syslog endpoint and port provided by the service (replace <SYSLOG_ENDPOINT> and <SYSLOG_PORT> with the actual values).

Step 1: Configure a Splunk Forwarder

If you haven't already, install a Splunk Universal Forwarder on the source system where your logs are generated. The Universal Forwarder is designed to collect data and send it to a Splunk indexer or directly to a third-party system, like a Syslog server.

Step 2: Set Up Forwarding to Syslog

Via Splunk Web Interface

  1. Log in to the Splunk Web interface.
  2. Navigate to Settings > Data outputs > Syslog.
  3. Click New to add a new Syslog server configuration.
  4. Fill in the details for your Syslog endpoint:
    • Name: Enter a unique name for the Syslog destination.
    • Server: Enter <SYSLOG_ENDPOINT>:<SYSLOG_PORT>.
    • Protocol: Select the protocol used by your Syslog server (typically UDP).
  5. Save the configuration.

Via Splunk CLI

Alternatively, you can configure the forwarder to send data to Syslog using the Splunk CLI. Run the following command on the Splunk Forwarder:

splunk add udpout -name <UNIQUE_NAME_FOR_SYSLOG_DESTINATION> -host <SYSLOG_ENDPOINT> -port <SYSLOG_PORT>

Replace <UNIQUE_NAME_FOR_SYSLOG_DESTINATION>, <SYSLOG_ENDPOINT>, and <SYSLOG_PORT> with your specific configuration details.
Replace , , and with your specific configuration details.

Step 3: Configure Forwarding Rules

Define what data you want to forward to the Syslog server by configuring inputs and forwarding rules. This can be done in the inputs.conf and outputs.conf files on the Splunk Forwarder.

Example outputs.conf Configuration

[syslog]
defaultGroup=syslogGroup

[syslog:syslogGroup]
server=<SYSLOG_ENDPOINT>:<SYSLOG_PORT>
type=udp

Example inputs.conf Configuration

[monitor:///var/log/myapp]
disabled = false
index = main
sourcetype = myapp_log
_TCP_ROUTING = syslogGroup

Adjust the file paths, index, and sourcetype according to your environment.