Getting Data In

How to receive Splunk forwarder index name in syslog-ng receiver

dhavamanis
Builder

We are sending to data to Syslog-ng receiver from Splunk Universal forwarder and we want to append the index name as part of the event at syslog-ng receiver side. because its collecting logs from multiple sources and sending to splunk indexer.

Workflow: Splunk Universal forwarder forwarding logs to two different Splunk indexer endpoints

  1. syslog-ng receiver -> Splunk indexer (security team indexer)
  2. Splunk indexer directly (app team indexer) and there is no issue with it.

For the first case while receiving logs in syslog-ng from universal forwarder and we need to prefix the indexname as part of the event. Can you please help us how to get splunk indexname and append as part of event at syslog-ng receiver side.

syslog-ng.conf:

source s_cms {
tcp(ip(0.0.0.0) port(10602));
};
template no_header {
template("${HOST} ${MSG}\n");
template_escape(no);
};

destination d_files_cms {
file("/tmp/cms.log" create_dirs(yes) template(no_header));
};

log {
source(s_cms);
destination(d_files_cms);
};

0 Karma

cbwillh
Path Finder

Hello,
when using syslog-ng with splunk you can control the index and sourcetype etc in the app inputs.conf that is pushed to your forwarder.
of course this implies you are using a splunk enterprise on prem deployment server to push apps to your endpoints forwarders.

for example
firewall sends its log to syslog-ng
syslog-ng.conf has filters configured for each type of device sending logs, it checks through those filters until it finds a match for the log received from the firewall. lets say it is using subnet to identify this is a firewall.
once it matches the filter it then checks the log rule which tells it which destination rule to use to place the log in the folder structure and naming convention that has been configured in the destination rule for this device type
lets say it puts the log in "/home/syslog/logs/firewall/$HOST/$YEAR-$MONTH-$DAY-firewall.log"
you will note that in the path that is configured in the destination rule for this log the hostname will be the 5th folder in the path
so in your inputs.conf file for whichever app you use for this devicetypes logs you would need to tell it that the 5th position is where the hostname is. splunk will then be able to find the logs using that name with the host=host name

example in my example the syslog_firewall_inputs\local\ inputs.conf file would look like this

Firewall Logs sent to syslog-ng

[monitor:///home/syslog/logs/firewall//.log]
host_segment = 5
sourcetype = fgt_log
index = firewall
disabled = false

note that the sourcetype was one we created ourselves for our environment so be sure all settings are for your own environment.
as you can see it is in this file where you can specify which index and which sourcetype splunk UF will associate with the log.

I hope this is helpful. your description was not 100% clear so I am hoping this is what you need

0 Karma

FrankVl
Ultra Champion

Why don't you send from the UF straight to the second indexer, rather than complicating things by sending it through an intermediate non-splunk component?

And can you clarify what exactly you want to accomplish? You are looking for syslog-ng config to prefix the data it sends to the Indexer with the index it should go to? How do you envision syslog-ng determines what data goes to what indexer? How does data go from the syslog-ng daemon to the indexer? I only see you writing to file, does splunk pick up those files, or do you need to add config to forward the syslog messages over the network once more?

0 Karma

bjoernhansen
Path Finder

If you send your data from Splunk to syslog-ng using the syslog output, it's the raw data. The information about the index will never reach syslog-ng, and therefore can't be put into the event.
I'd stick with FrankVI's question and ask - why (the hell ;-)) would you do such a setup? Forward it to the second Splunk indexer cluster right from the UFs. If anything needs to be manipulated before, use Heavy Forwarders instead of syslog-ng in-between?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...