Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Using Splunk to collect Syslog and forward to remote syslog

michael_lee
Path Finder
‎01-17-2016 04:28 AM

So Splunk can collect syslog by configure data input at TCP/UDP port 514. Can I know:

  • Splunk does not manipulate the syslog data coming in right?
  • How then to forward these syslog data to another remote syslog server? Splunk indexes them as they come in through port 514 so I don't think spunk can forward to a remote syslog server within spunk itself.?
  • I am totally using spunk as syslog collector in this situation. No rsyslog or syslog-ng

thanks

Update: I realize some of my logs could not be converted to syslog format, hence I am still going to try going ahead with Splunk as the syslog collector. I am just using a dedicated splunk instance as the syslog indexer and will not have too much restarting done. Even if there is a restart, my Splunk forwarders can store/buffer events first before sending..I think.

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jkat54
SplunkTrust
SplunkTrust
‎01-17-2016 04:36 AM

UPDATE:

YOU CAN FORWARD SYSLOG IN ORIGINAL FORMAT FROM A HEAVY FORWARDER:
http://docs.splunk.com/Documentation/Splunk/6.2.0/Forwarding/Forwarddatatothird-partysystemsd#Syslog...

Old WRONG answer:
Splunk manipulates the syslog data for sure. It changes it into the indexed form of data and compresses the data for storage. If you go look at the index file, it will be binary... not syslog events.

You cannot forward syslog from splunk. You can however pull data out of splunk using ODBC drivers, python, bash scripting, etc.

If you need to forward syslog, you'll need to stick to traditional methods such as syslog-ng, rsyslog, kafka, redis, network load balancing, etc.

View solution in original post

Reply
Solved! Jump to solution

rfaircloth_splu
Splunk Employee
Splunk Employee
‎01-18-2016 09:19 PM

Splunk CAN forward syslog however this should be avoided in almost all cases. Splunk processes reload or restart for a number of reasons and are not designed to be HA for syslog. There are cases such as small/remote office where this is an appropriate use for Splunk, not the rule however.

Syslog-NG is the most common and preferred aggregation solution in front of Splunk. Generally speaking a NLB (or clustered pair) will be placed in front of two or more syslog servers. Syslog-NG will write a copy of the data to disk for the Universal Forwarder to collect and forward a subset of messages to another system such as the Cisco NAM or UniCenter for It Monitoring.

My guide for syslog configuration would be a good starting point for you
http://www.rfaircloth.com/2016/01/17/building-reliable-syslog-infrastructure-on-centos-7/

Reply
Solved! Jump to solution
Solution

jkat54
SplunkTrust
SplunkTrust
‎01-17-2016 04:36 AM

UPDATE:

YOU CAN FORWARD SYSLOG IN ORIGINAL FORMAT FROM A HEAVY FORWARDER:
http://docs.splunk.com/Documentation/Splunk/6.2.0/Forwarding/Forwarddatatothird-partysystemsd#Syslog...

Old WRONG answer:
Splunk manipulates the syslog data for sure. It changes it into the indexed form of data and compresses the data for storage. If you go look at the index file, it will be binary... not syslog events.

You cannot forward syslog from splunk. You can however pull data out of splunk using ODBC drivers, python, bash scripting, etc.

If you need to forward syslog, you'll need to stick to traditional methods such as syslog-ng, rsyslog, kafka, redis, network load balancing, etc.

Reply
Solved! Jump to solution

rfaircloth_splu
Splunk Employee
Splunk Employee
‎01-18-2016 09:20 PM

I downvoted this post because the solution proposed would be unstable for production use.

0 Karma
Reply
Solved! Jump to solution

jkat54
SplunkTrust
SplunkTrust
‎01-19-2016 03:50 AM

If Splunk can't support this as a "production stable" functionality then it shouldn't be in the product IMHO. Regardless the questions asked were answered. Down vote all you want. We both know Splunk isn't designed to be a syslog forwarder.

0 Karma
Reply
Solved! Jump to solution

a212830
Champion
‎01-17-2016 05:03 AM

Pretty sure Splunk can forward syslog (as syslog) to other sources - it's just done at the forwarding layer (and might require a HFW). Not sure that I'd recommend it as a best practice, but it is possible.

Reply
Solved! Jump to solution

jkat54
SplunkTrust
SplunkTrust
‎01-17-2016 05:21 AM

A Splunk forwarder forwards "cooked" events by default. Cooked events will not be in syslog format.

I never realized it but you CAN forward traditional syslog. SORRY! EDITED MY ANSWER.

http://docs.splunk.com/Documentation/Splunk/6.2.0/Forwarding/Forwarddatatothird-partysystemsd#Syslog...

0 Karma
Reply
Solved! Jump to solution

jkat54
SplunkTrust
SplunkTrust
‎01-17-2016 04:38 AM

Also if you're listening on port 514 with splunk on a linux machine, then that means you're most likely running splunk as root. That is against best practices. Consider yourself warned.

0 Karma
Reply
Solved! Jump to solution

michael_lee
Path Finder
‎01-17-2016 04:55 AM

ok then the only solution is to use rsyslog and then use a forwarder and configure output.conf to forward to a remote. thanks.

0 Karma
Reply
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...