What's the next step to setup my universal forward...

jgorman_THG · ‎08-17-2017

Hello,

I am trying to bring a client's syslog data into Splunk using a universal forwarder (UF) on a syslog server. I am getting Splunk internal logs, and I am getting Linux logs off the box.

The permissions seem to be set correctly and I am not seeing any errors in the Splunk internal logs.

Any ideas of where I can go from here?

My input stanza looks like the following:

[monitor:///var/log/client_name]
recursive = true
crcSalt =
queue = parsingQueue
sourcetype = netscreen:firewall
host_segment = 4
disabled = 0

Thanks,

JG

bheemireddi · ‎08-17-2017

Hi jgorman_THG,

It would be a good practice to collect these syslogs and write into the directories that can be accessible by splunk user. syslog-ng does have a lot of features where you can collect/filter and write the messages in appropriate dirs you wanted.This process makes it easier to configure the inputs on the UF and parsing the logs for the metadata like host field etc.

mattymo · ‎08-17-2017

Hey JG!

/var/log is usually owned by root or by admin groups. You likely just need to chown the log file, or have the splunk user added to adm group, etc. Make sure the sysadmin configures logrotate to keep the new perms too!

You can confirm by checking the status of any input with the super handy command ./splunk list inputstatus on the UF. I believe 6.3+ forwarders support the command, so as long its a newish UF, it will tell you exactly whats up!

- MattyMo

What's the next step to setup my universal forwarder on a syslog server?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life