Getting Data In

Does rsyslog work well with Splunk

dcroteau
Splunk Employee
Splunk Employee

Does both Enterprise (supported) and free rsyslog support wildcarding?

Does rsyslog work well with Splunk?

Is Rsyslog supported on PowerPC running LINUX?

Tags (1)
0 Karma

dcroteau
Splunk Employee
Splunk Employee

First, let me say that there is no "enterprise" version of rsyslog, at least for the time being. There is just one very capable version, but you can purchase support with it (what, of course, I appreciate ;)).

I don't see any reason why rsyslog should not run on PowerPC. Did you try a compile and it failed? If so, please let me know what happened. I do not have a PowerPC environment to test myself.

0 Karma

christopher_hod
Path Finder

We use rsyslog. All networking equipment send it's logs to a central syslog server(*) that then uses this rule:

$template DynaFile,"/var/log/syslog/system-%FROMHOST%.log",500000

We then grab them with an inputs.conf that looks like this:

[monitor:///var/log/syslog]
index = syslog
sourcetype = syslog
host_regex = /var/log/syslog/system-(.*).log*

(*) It's actually a VIP that goes to a load balancer, but that's not really important to this discussion.

eric_budke
Path Finder

And your FROMHOST doesn't get replaced with the VIP IP/hostname?

0 Karma

christopher_hod
Path Finder

I'm not sure what you mean by wildcarding in this context.

But this is a splunk message board and I can only comment on how splunk interacts with rsyslog.

As far as source goes, if you're using syslog, you're not going to get much more than source=syslog anyway.

If you want more specific sourcetypes, I can give you examples of that.

0 Karma

dcroteau
Splunk Employee
Splunk Employee

Thanks Mike, With our messages we'd lose the original source if we did it that way. Again, does either rsyslog support wildcarding.

0 Karma

dcroteau
Splunk Employee
Splunk Employee

That is rsyslog wildcarding

0 Karma

Brian_Osburn
Builder

I'd check the rsyslog web site with regards to what it supports or what it doesn't.

If it's a flavor of *syslog, then Splunk can consume it directly (not recommended in my opinion), or if it can write to a log and then have Splunk consume that log (little more failsafe).

Brian

dcroteau
Splunk Employee
Splunk Employee

I wish I could distinguish support for wildcarding on any website, that's why I wanted to run it by the community.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...