Installation

kiwi syslog server does NOT support multiple UDP receiving ports. Any alternative syslog server that supports it ?

damode
Motivator

I have installed a universal forwarder to read logs from syslog server and forward them to heavy forwarder. I have kiwi syslog server to receive logs from all syslog based data sources and had planned to configure multiple UDP ports for ease of sourcetype categorisation. However, I realised it only supports 1 udp port at a time.

Can anyone please advise what can be done in this case ?

Tags (2)
0 Karma
1 Solution

nyc_jason
Splunk Employee
Splunk Employee

Are you using the free or full version of Kiwi? The full version should be able to take everything on a single UDP port, then use the "AutoSplit" feature, by hostname for example, and have them write out to their own directories. The UF can monitor these individually, so you can sourcetype them properly and use a segment in path to pick up the hostnames, and then send the data on to the HF.

View solution in original post

0 Karma

nyc_jason
Splunk Employee
Splunk Employee

Are you using the free or full version of Kiwi? The full version should be able to take everything on a single UDP port, then use the "AutoSplit" feature, by hostname for example, and have them write out to their own directories. The UF can monitor these individually, so you can sourcetype them properly and use a segment in path to pick up the hostnames, and then send the data on to the HF.

0 Karma

damode
Motivator

I am using a full version of Kiwi. Thanks for the suggestion. It has helped to deal with the issue of multiple type of logs on one port.

0 Karma

Richfez
SplunkTrust
SplunkTrust

If you absolutely must stick with windows, there are quite a few options. For instance, here's a list of nearly a dozen free syslog servers. I find it interesting that all syslog servers for windows seem to come with some sort of a UI to "display" the data, which isn't a feature you need. Still, any one of those should work - given that you check if they support multiple UDP ports.

If you have more choices, a virtual machine running Ubuntu/CentOS with syslog-ng would also work. I've done decent enough syslog receiving on 1 GB of RAM and 1 CPU though obviously your mileage may vary. For the configuration, I believe you simply add multiple source lines, as per syslog-ng's docs. I've done it before and it seemed relatively straightforward. I DO believe you have to use a fairly current version of syslog-ng, like later in the 3.x series.

If I may ask - why send data from a UF to an HF instead of just right into your indexer?

Happy Splunking,
Rich

0 Karma

damode
Motivator

Hi @rich7177,

We need the HF for data filtering and dbconnect app.

I checked out each syslog server, however, none of them support multiple UDP ports. Hence, as an alternative to solution to this, I have decided to change the architecture by having all logs sent to the Heavy forwarders instead of syslog server and from there, forward logs to syslog server as well, in addition to the Indexer. That way, I can reduce the risk of data loss.
Please suggest if there could be any drawbacks for this method ?

Thanks.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...