Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How do I forward all rsyslog output from an ubuntu server to my Splunk 4.1 server?

rogerssoftware
Explorer
‎04-06-2010 09:35 PM

On my old setup I had all syslogs going to syslog on the Splunk server, but now I'm doing a fresh setup with Ubuntu 9.10 servers with Splunk v4.1 and rsyslog v4.

I searched and found that I should can a receiving port, 2010, in "Manager » Forwarding and receiving » Receive data", and also added the following line in /etc/rsyslog.conf on the sending server and restarted rsyslog:

*.* @@192.168.10.7:2010;SyslFormat

Splunk never receives anything from the remote server with this setup. Is there something I'm missing here?

TIA, Cotton

Also, it won't let me add 'rsyslog' or 'receiving' tags...

    * new users can't create tags; 'rsyslog forwarding' are new tags
Tags (1)
Reply

Dan
Splunk Employee
Splunk Employee
‎04-07-2010 03:08 AM

This should probably be posted as a separate question.

I recommend using a forwarder for multiple reasons - chiefly for reliability. See this answer: http://answers.splunk.com/questions/1114/what-happens-to-my-events-at-splunk-light-forwarder-when-th....

Also, you can still use the Splunk LWF. The following is what you are losing, none of which - with the exception of fschange - will interfere with the unix app: http://www.splunk.com/base/Documentation/latest/Admin/Moreaboutforwarders

0 Karma
Reply

rogerssoftware
Explorer
‎04-06-2010 11:43 PM

It was the "SyslFormat" part at the end of that rsyslog.conf file, it should have been:

*.* @@192.168.10.7:2010;
Reply

Dan
Splunk Employee
Splunk Employee
‎04-06-2010 10:38 PM

Forwarding and receiving is intended for receiving from another Splunk instance (usually a Splunk forwarder). You want to go to Manager » Data Inputs and open a udp port, or tcp if that's an option for rsyslog.

Reply

rogerssoftware
Explorer
‎04-06-2010 11:07 PM

I have tried that also, restarting splunk of course, with no results.

Any other ideas?

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...