We are sending to data to Syslog-ng receiver from Splunk Universal forwarder and we want to append the index name as part of the event at syslog-ng receiver side. because its collecting logs from multiple sources and sending to splunk indexer.
Workflow: Splunk Universal forwarder forwarding logs to two different Splunk indexer endpoints
For the first case while receiving logs in syslog-ng from universal forwarder and we need to prefix the indexname as part of the event. Can you please help us how to get splunk indexname and append as part of event at syslog-ng receiver side.
syslog-ng.conf:
source s_cms {
tcp(ip(0.0.0.0) port(10602));
};
template no_header {
template("${HOST} ${MSG}\n");
template_escape(no);
};
destination d_files_cms {
file("/tmp/cms.log" create_dirs(yes) template(no_header));
};
log {
source(s_cms);
destination(d_files_cms);
};
Hello,
when using syslog-ng with splunk you can control the index and sourcetype etc in the app inputs.conf that is pushed to your forwarder.
of course this implies you are using a splunk enterprise on prem deployment server to push apps to your endpoints forwarders.
for example
firewall sends its log to syslog-ng
syslog-ng.conf has filters configured for each type of device sending logs, it checks through those filters until it finds a match for the log received from the firewall. lets say it is using subnet to identify this is a firewall.
once it matches the filter it then checks the log rule which tells it which destination rule to use to place the log in the folder structure and naming convention that has been configured in the destination rule for this device type
lets say it puts the log in "/home/syslog/logs/firewall/$HOST/$YEAR-$MONTH-$DAY-firewall.log"
you will note that in the path that is configured in the destination rule for this log the hostname will be the 5th folder in the path
so in your inputs.conf file for whichever app you use for this devicetypes logs you would need to tell it that the 5th position is where the hostname is. splunk will then be able to find the logs using that name with the host=host name
example in my example the syslog_firewall_inputs\local\ inputs.conf file would look like this
[monitor:///home/syslog/logs/firewall//.log]
host_segment = 5
sourcetype = fgt_log
index = firewall
disabled = false
note that the sourcetype was one we created ourselves for our environment so be sure all settings are for your own environment.
as you can see it is in this file where you can specify which index and which sourcetype splunk UF will associate with the log.
I hope this is helpful. your description was not 100% clear so I am hoping this is what you need
Why don't you send from the UF straight to the second indexer, rather than complicating things by sending it through an intermediate non-splunk component?
And can you clarify what exactly you want to accomplish? You are looking for syslog-ng config to prefix the data it sends to the Indexer with the index it should go to? How do you envision syslog-ng determines what data goes to what indexer? How does data go from the syslog-ng daemon to the indexer? I only see you writing to file, does splunk pick up those files, or do you need to add config to forward the syslog messages over the network once more?
If you send your data from Splunk to syslog-ng using the syslog output, it's the raw data. The information about the index will never reach syslog-ng, and therefore can't be put into the event.
I'd stick with FrankVI's question and ask - why (the hell ;-)) would you do such a setup? Forward it to the second Splunk indexer cluster right from the UFs. If anything needs to be manipulated before, use Heavy Forwarders instead of syslog-ng in-between?