Re: How to forward logs using rsyslog

asharma21193 · ‎12-05-2019

There are around 400 servers, which are already forwarding required logs to IBM Qradar using rsyslog. Instead of installing universal forwarders in every server, I want to add one more forwarder (Splunk HWF) in rsyslog config in order to receive logs from every servers.

• What utility I need to install on log Collector
• Can I install this utility on HWF itself as load is very less on this server
• Where I will define index and sourcetype details in this case

starcher · ‎12-05-2019

Put UF on your rsyslog box and read the files you are already writing.

starcher · ‎12-05-2019

http://www.georgestarcher.com/splunk-success-with-syslog/

asharma21193 · ‎12-05-2019

it is IBM log collector that we need to decommission. Kindly help with standard solution.

starcher · ‎12-05-2019

The standard solution is to run a syslog collector with a UF as stated. You could make a new one and redirect syslog there.

asharma21193 · ‎12-05-2019

Can I install this utility on HWF itself as load is very less on this server ?
Where I will define index and sourcetype details in this case ?

starcher · ‎12-06-2019

You shouldn't run a heavy forwarder to pickup syslog. You should use a universal forwarder.

Configuration of either install can do it, however inputs and getting data in can be found at https://docs.splunk.com/Documentation/SplunkCloud/8.0.0/Data/Getstartedwithgettingdatain

You may want to consult your splunk administrator or professional services if you have not used splunk at all before.

How to forward logs using rsyslog

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases