Getting Data In

How do I forward all rsyslog output from an ubuntu server to my Splunk 4.1 server?

rogerssoftware
Explorer

On my old setup I had all syslogs going to syslog on the Splunk server, but now I'm doing a fresh setup with Ubuntu 9.10 servers with Splunk v4.1 and rsyslog v4.

I searched and found that I should can a receiving port, 2010, in "Manager » Forwarding and receiving » Receive data", and also added the following line in /etc/rsyslog.conf on the sending server and restarted rsyslog:

*.* @@192.168.10.7:2010;SyslFormat

Splunk never receives anything from the remote server with this setup. Is there something I'm missing here?

TIA, Cotton

Also, it won't let me add 'rsyslog' or 'receiving' tags...

    * new users can't create tags; 'rsyslog forwarding' are new tags
Tags (1)

Dan
Splunk Employee
Splunk Employee

This should probably be posted as a separate question.

I recommend using a forwarder for multiple reasons - chiefly for reliability. See this answer: http://answers.splunk.com/questions/1114/what-happens-to-my-events-at-splunk-light-forwarder-when-th....

Also, you can still use the Splunk LWF. The following is what you are losing, none of which - with the exception of fschange - will interfere with the unix app: http://www.splunk.com/base/Documentation/latest/Admin/Moreaboutforwarders

0 Karma

rogerssoftware
Explorer

It was the "SyslFormat" part at the end of that rsyslog.conf file, it should have been:

*.* @@192.168.10.7:2010;

Dan
Splunk Employee
Splunk Employee

Forwarding and receiving is intended for receiving from another Splunk instance (usually a Splunk forwarder). You want to go to Manager » Data Inputs and open a udp port, or tcp if that's an option for rsyslog.

rogerssoftware
Explorer

I have tried that also, restarting splunk of course, with no results.

Any other ideas?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...