Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to forward a specific syslog file into Splunk?

erinaldo
Explorer
‎02-07-2017 11:20 AM

Hello all,

I'm looking for guidance about a logging problem I am trying to solve. Right now we have a few security onion boxes sending snort logs to both our log server and to Splunk using syslog-ng. This works fine.

The powers that be now want to remove the direct send to Splunk and just pipe the logs from the syslog box into Splunk. What I would like to do is just forward these specific log files which are under /var/log/remote/IP1, /var/log/remote/IP2 to the Splunk box. Is there an easy way to accomplish this or do I need to get cute with eventtypes..etc? Hopefully that makes sense.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

cpetterborg
SplunkTrust
SplunkTrust
‎02-07-2017 01:33 PM

If you have the UF on your syslog collector, just configure your inputs to monitor those files. Example inputs.conf:

[monitor:///var/log/remote/IP1]
host=IP1
sourcetype=syslog
index=syslogidx

[monitor:///var/log/remote/IP2]
host=IP2
sourcetype=syslog
index=syslogidx

If you need something more sophisticated, explain that scenario.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

cpetterborg
SplunkTrust
SplunkTrust
‎02-07-2017 01:33 PM

If you have the UF on your syslog collector, just configure your inputs to monitor those files. Example inputs.conf:

[monitor:///var/log/remote/IP1]
host=IP1
sourcetype=syslog
index=syslogidx

[monitor:///var/log/remote/IP2]
host=IP2
sourcetype=syslog
index=syslogidx

If you need something more sophisticated, explain that scenario.

0 Karma
Reply
Solved! Jump to solution

erinaldo
Explorer
‎02-07-2017 02:15 PM

I ended up setting up a forward in rsyslog. So it logs into /var/log/remote/ip.log then forwards to Splunk.
if $fromhost-ip=='192.168.211.2' then @192.168.211.3:514

Is it better to use the universal forwarder?

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎02-07-2017 02:18 PM

Yes, the universal forwarder is better. It handles retry, throttling, and more that rsyslog doesn't.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

cpetterborg
SplunkTrust
SplunkTrust
‎02-07-2017 02:21 PM

Most definitely I agree. It's too easy to loose syslog data. The forwarder on the syslog server is the best way to go.

0 Karma
Reply
Solved! Jump to solution

erinaldo
Explorer
‎02-07-2017 02:35 PM

Thanks for your help.

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎02-07-2017 01:03 PM

Piping syslog through an intermediate server is accepted Best Practice to avoid losing data.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...