How to send syslog-ng messages to Splunk properly?
I'm using Free 'splunk-4.1.4-82143-linux-2.6-intel.deb' and 'syslog-ng 2.0.9-4.1' on Debian Lenny. Both are installed on the same machine, one host, small server.
I want Splunk to read from syslog-ng.
I have read so many articles on how to send syslog-ng to Splunk and still feel lost and very frustrated as information is either outdated, contradicts another article, is for Windows, or is incomplete- one exmaple of many http://www.splunk.com/wiki/Deploy:CreateSyslogNGRules
So far the methods I think to do this are either:
Create a pipe mkfifo from syslog-ng to splunk? - I read splunk doesn't recommend the usage of fifo
Add the syslog log to Manager ->Data inputs->TCP/Add new/select source type: From list/select source type from list: syslog/ Index select main (there isn't 'default' on the list), done? I don't need to add anything to syslog-ng?
Add the syslog log to Manager ->Data inputs->File & directories->Add new -> /var/log/syslog Index select main, add /var/log/*.log , done?
Forwarder ? (wouldn't this be only for sending to another machine) and TCP forwarding only works in Enterprise edition?
Manager->Fowarding and receiving->Receive data->Add new, enter 514 and be done with it? I don't need to add anything to syslog-ng or /opt/splunk/etc/system/local/inputs.conf?
Please if you could tell me the best and correct method for my setup.
Thank you,
Katey
... View more