We are using syslog-ng to collect syslog from various devices and we want to use this into splunk.
Is there any app exist which I can use to monitor syslog-ng?
here is the sample logfile /home/syslog/logfile.
Sep 23 21:09:28 10.10.10.11 sshd[18834]: fatal: Read from socket failed: Connect
ion reset by peer
Sep 23 21:09:29 10.10.10.10 routed[14561]: cpcl_cxl_runtime_status: HA mode not
started
Sep 23 21:10:00 last message repeated 124 times
Sep 23 21:11:01 last message repeated 244 times
Sep 23 21:12:02 last message repeated 244 times
How splunk will handle "last message repeated" lines?
It will index it exactly as written:
'Sep 23 21:10:00 last message repeated 124 times'
You don't need an app for syslog-ng - it is nativly supported by Splunk, just be sure to set the sourcetype as 'syslog' when you configure it as an input.
See:
https://wiki.splunk.com/Community:Best_Practice_For_Configuring_Syslog_Input
https://www.splunk.com/blog/2016/03/11/using-syslog-ng-with-splunk.html
https://www.splunk.com/blog/2016/05/05/high-performance-syslogging-for-splunk-using-syslog-ng-part-1... (scenario 3)
And the wrong way to do it:
https://conf.splunk.com/files/2017/slides/worst-practicesand-how-to-fix-them.pdf
Good Morning,
You don't need any app to monitor syslog-ng... Go to data inputs in settings in splunk UI and enable the TCP and UDP port that can receive syslog messages.
Don't do this!
If you already are collecting logs in syslog-ng collect the logs by reading them from file with a universal/heavy forwarder.
Do not forward events from syslog to syslog over a UDP/TCP port, that is the worst of all worlds.
You should always collect from the syslog file if it exists.
See: https://conf.splunk.com/files/2017/slides/worst-practicesand-how-to-fix-them.pdf
Make sure check for the ports in data inputs for both TCP and UDP using which port you are trying to receive data.
It will index it exactly as written:
'Sep 23 21:10:00 last message repeated 124 times'
You don't need an app for syslog-ng - it is nativly supported by Splunk, just be sure to set the sourcetype as 'syslog' when you configure it as an input.
See:
https://wiki.splunk.com/Community:Best_Practice_For_Configuring_Syslog_Input
https://www.splunk.com/blog/2016/03/11/using-syslog-ng-with-splunk.html
https://www.splunk.com/blog/2016/05/05/high-performance-syslogging-for-splunk-using-syslog-ng-part-1... (scenario 3)
And the wrong way to do it:
https://conf.splunk.com/files/2017/slides/worst-practicesand-how-to-fix-them.pdf