- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: Is there an app that exists for syslog-ng?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We are using syslog-ng to collect syslog from various devices and we want to use this into splunk.
Is there any app exist which I can use to monitor syslog-ng?
here is the sample logfile /home/syslog/logfile.
Sep 23 21:09:28 10.10.10.11 sshd[18834]: fatal: Read from socket failed: Connect
ion reset by peer
Sep 23 21:09:29 10.10.10.10 routed[14561]: cpcl_cxl_runtime_status: HA mode not
started
Sep 23 21:10:00 last message repeated 124 times
Sep 23 21:11:01 last message repeated 244 times
Sep 23 21:12:02 last message repeated 244 times
How splunk will handle "last message repeated" lines?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It will index it exactly as written:
'Sep 23 21:10:00 last message repeated 124 times'
You don't need an app for syslog-ng - it is nativly supported by Splunk, just be sure to set the sourcetype as 'syslog' when you configure it as an input.
See:
https://wiki.splunk.com/Community:Best_Practice_For_Configuring_Syslog_Input
https://www.splunk.com/blog/2016/03/11/using-syslog-ng-with-splunk.html
https://www.splunk.com/blog/2016/05/05/high-performance-syslogging-for-splunk-using-syslog-ng-part-1... (scenario 3)
And the wrong way to do it:
https://conf.splunk.com/files/2017/slides/worst-practicesand-how-to-fix-them.pdf
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Good Morning,
You don't need any app to monitor syslog-ng... Go to data inputs in settings in splunk UI and enable the TCP and UDP port that can receive syslog messages.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Don't do this!
If you already are collecting logs in syslog-ng collect the logs by reading them from file with a universal/heavy forwarder.
Do not forward events from syslog to syslog over a UDP/TCP port, that is the worst of all worlds.
You should always collect from the syslog file if it exists.
See: https://conf.splunk.com/files/2017/slides/worst-practicesand-how-to-fix-them.pdf
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Make sure check for the ports in data inputs for both TCP and UDP using which port you are trying to receive data.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It will index it exactly as written:
'Sep 23 21:10:00 last message repeated 124 times'
You don't need an app for syslog-ng - it is nativly supported by Splunk, just be sure to set the sourcetype as 'syslog' when you configure it as an input.
See:
https://wiki.splunk.com/Community:Best_Practice_For_Configuring_Syslog_Input
https://www.splunk.com/blog/2016/03/11/using-syslog-ng-with-splunk.html
https://www.splunk.com/blog/2016/05/05/high-performance-syslogging-for-splunk-using-syslog-ng-part-1... (scenario 3)
And the wrong way to do it:
https://conf.splunk.com/files/2017/slides/worst-practicesand-how-to-fix-them.pdf
More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk
.conf24 | Personalize your .conf experience with Learning Paths!
Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...
