Getting Data In

Rsyslog with splunk on windows

jfedelem
New Member

I'm trying to capture syslogs from an Adtran Router in Splunk. i have confirmed that the Adtran is sending syslogs on UDP port 514 to the correct server. I couldn't get Splunk to read them directly. I saw several forum posts stating that it was recommended to send them to Rsyslog anyway, so that if Splunk needed to be restarted the data wouldn't be lost. The link to the documentation page was broken and I cant seem to find it in the documentation.

Unfortunately, I'm stuck using a windows server so much of the help data that relates to Linux is not helpful to me.

I think Rsyslog is set up correctly. Here is what I've done.

  1. Go under "Services" and find the "syslog server" service I've created. Click "test syslog server". Click "send" under test and it tells me I'm successful. Under the message properties tab, its shows the same syslog facility that I have chosen. local0. Under sourcename, however, it has the server name. Not sure if that's right.
  2. Assuming that the service is configured correctly, the ruleset has to be correct. I just took the default rule set and changed the syslog server to the servers local IP.
  3. Therefore, I think rsyslog is set up correctly.

So I think I'm messing up with getting Splunk to correctly read the rsyslog. This seems to be well documented on Linux but I can't seem to find it for Windows.

Any help for a n00b would be appreciated.

0 Karma

parteek_accentu
New Member

so can we configure syslog on windows ?

0 Karma

muebel
SplunkTrust
SplunkTrust

Hi jfedelem, as you've worked out in the comments, the specific as to using rsyslog on windows can be somewhat tricky. As you mentioned, I think you'd have more success setting up a Linux system running rsyslog, and also the splunk forwarder. You'd be able to take in the logs, write them local to the linux box, then pick them up with the forwarder and send to your Splunk infrastructure.

My colleague George Starcher has a great blog post with config examples and best practices outlined here : http://www.georgestarcher.com/splunk-success-with-syslog/

Please let me know if this helps!

jfedelem
New Member

Looks like a great article. Will go thru it thoroughly later today. Thanks for the pointer.

0 Karma

Richfez
SplunkTrust
SplunkTrust

Can you confirm that you have rsyslog writing to files on the local disk and that the events you are testing with get to that disk file?

Once you have the events being written to disk, you can configure your Splunk to just read that file and it'll (probably) work.

Just as an aside: There's no reason you have to have the syslog server on the same server. You could easily install Ubuntu on a some small older desktop and install rsyslog (or syslog-ng) and the Splunk universal forwarder on that.

0 Karma

parteek_accentu
New Member

is it working ? can we setup syslog in windows

0 Karma

jfedelem
New Member

Rich:

Thanks for the reply.

I'd like to confirm that the files are being written to disk by rsyslog, but I don't know where to look. I looked under C:\Windows\Logs and under C:\Program Files (x86)\RSyslog\Agent. Do you know where yours are stored?

If I can't get this going within an hour or so tomorrow I'll be tempted to put an Ubuntu VM on the Windows server and install splunk and rsyslog under that. Then the major documentation will match. Its just a shame that there doesn't seem to be clear documentation on how to accomplish this under windows (or that I'm too blind to find it, as the case may be)

0 Karma

jkat54
SplunkTrust
SplunkTrust

You have to configure rsyslog to output to what you want. In this case, file:

http://www.rsyslog.com/doc/v8-stable/configuration/modules/omfile.html

0 Karma

jfedelem
New Member

Thanks for the reply....

I looked at that documentation, but I think that's for Linux, not windows. I could not find an OMfile for windows. I looked under C:\Program Files (x86)\RSyslog\Agent\en-US and found rsyslogconfigclient.resources.dll which I'm guessing is the equivalent, but it shows gibberish when I try to open it in notepad.

If I've misunderstood which file or it goes by a different name, please let me know and I'll check again.

0 Karma

malmoore
Splunk Employee
Splunk Employee

Hi jfedelem,

I think what you're looking for is WinSyslog. RSyslog is for *nix only. The Windows agent is for forwarding data into rsyslog.

0 Karma

jkat54
SplunkTrust
SplunkTrust

Sounds like you need rsyslog training / SME to help you. Unfortunately, this is not a Rsyslog forum. So you'd have better odds asking how to write to file in their forums instead.

Here's a link on configuration basics.
http://www.rsyslog.com/doc/v8-stable/configuration/basic_structure.html

0 Karma

jfedelem
New Member

Thanks. I posted over there yesterday but no response yet. However, the discussion here has convinced me that my problem lies on the rsyslog side and not on the splunk side. Thanks for the help, and I'll look thru the link you just posted.

I have never configured rsyslog before so your assessment is correct.

Thanks for the help.

0 Karma

jkat54
SplunkTrust
SplunkTrust

Same here, never used rsyslog. I have used syslog-no however . Someone will chime in here before long with a good solution I'm sure. Good luck on your endeavor!!

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...