topic Re: Getting syslog data into splunk lightweight forwarder in Getting Data In https://community.splunk.com/t5/Getting-Data-In/Getting-syslog-data-into-splunk-lightweight-forwarder/m-p/52626#M10159 <P>The best way to do this is to just have Splunk monitor the files/directories where syslog-ng is writing (and rotating) log files. The reason for this is that the files can provide a buffer for capturing data for when the forwarder can't receive data (e.g., if the network is down and the queue fills up, or the forwarder is restarted, or a temporarily high input data rate such that the indexer backs up, etc.). For this, then you don't need to enable the network inputs. You can just create a file monitor input using the CLI or configuration file.</P> <P>You <EM>can</EM> re-enable UDP inputs on a LWF by creating a local <CODE>default-mode.conf</CODE> file containing the entry:</P> <PRE><CODE>[pipeline:udp] disabled =false </CODE></PRE> <P>but I think that capturing the data with syslog, syslog-ng, or rsyslog is better because of the buffering it provides.</P> Fri, 17 Sep 2010 09:26:02 GMT gkanapathy 2010-09-17T09:26:02Z Getting syslog data into splunk lightweight forwarder https://community.splunk.com/t5/Getting-Data-In/Getting-syslog-data-into-splunk-lightweight-forwarder/m-p/52625#M10158 <P>Hi, I'm new to splunk, so my question might be lame. I am trying to setup a splunk lightweight forwarder, my problem is the following. If it is a lightweight forwarder, it cannot be a listener. How do I get data into lightweight forwarder in first place (I have syslog-ng running on the same box, and I want LWF to load balance the data across several indexers)?</P> Fri, 17 Sep 2010 06:44:51 GMT https://community.splunk.com/t5/Getting-Data-In/Getting-syslog-data-into-splunk-lightweight-forwarder/m-p/52625#M10158 ultra 2010-09-17T06:44:51Z Re: Getting syslog data into splunk lightweight forwarder https://community.splunk.com/t5/Getting-Data-In/Getting-syslog-data-into-splunk-lightweight-forwarder/m-p/52626#M10159 <P>The best way to do this is to just have Splunk monitor the files/directories where syslog-ng is writing (and rotating) log files. The reason for this is that the files can provide a buffer for capturing data for when the forwarder can't receive data (e.g., if the network is down and the queue fills up, or the forwarder is restarted, or a temporarily high input data rate such that the indexer backs up, etc.). For this, then you don't need to enable the network inputs. You can just create a file monitor input using the CLI or configuration file.</P> <P>You <EM>can</EM> re-enable UDP inputs on a LWF by creating a local <CODE>default-mode.conf</CODE> file containing the entry:</P> <PRE><CODE>[pipeline:udp] disabled =false </CODE></PRE> <P>but I think that capturing the data with syslog, syslog-ng, or rsyslog is better because of the buffering it provides.</P> Fri, 17 Sep 2010 09:26:02 GMT https://community.splunk.com/t5/Getting-Data-In/Getting-syslog-data-into-splunk-lightweight-forwarder/m-p/52626#M10159 gkanapathy 2010-09-17T09:26:02Z