https://community.splunk.com/t5/Getting-Data-In/Hidden-syslog-configuration-on-heavy-forwarders/m-p/675425#M113036 <P>My organization has a handful of heavy forwarders that were configured to listen to syslog sources through udp://514. This was set up by a 3rd party, and now we are trying to understand the configuration. Searching the heavy forwarders' /etc/* recursively for "514", "tcp", "udp", "syslog", or "SC4S" returns no relevant results.</P><P>We know syslog is working, because we have multiple sources that are pointed at the heavy forwarders using udp over port 514 and their data is being indexed.</P><P>Curiously, when a new syslog source is pointed at the HFs, a new index with a random name pops up in our LastChanceIndex. We have no idea how any of this is configured - the index selection, or the syslog listener. We usually create an index that matches the name given, since we've never been able to find the config to set it manually.</P><P>Any suggestions on how syslog might be set up, or what else I could try searching for?</P> Thu, 25 Jan 2024 17:33:14 GMT Dominic32 2024-01-25T17:33:14Z https://community.splunk.com/t5/Getting-Data-In/Hidden-syslog-configuration-on-heavy-forwarders/m-p/675425#M113036 <P>My organization has a handful of heavy forwarders that were configured to listen to syslog sources through udp://514. This was set up by a 3rd party, and now we are trying to understand the configuration. Searching the heavy forwarders' /etc/* recursively for "514", "tcp", "udp", "syslog", or "SC4S" returns no relevant results.</P><P>We know syslog is working, because we have multiple sources that are pointed at the heavy forwarders using udp over port 514 and their data is being indexed.</P><P>Curiously, when a new syslog source is pointed at the HFs, a new index with a random name pops up in our LastChanceIndex. We have no idea how any of this is configured - the index selection, or the syslog listener. We usually create an index that matches the name given, since we've never been able to find the config to set it manually.</P><P>Any suggestions on how syslog might be set up, or what else I could try searching for?</P> Thu, 25 Jan 2024 17:33:14 GMT https://community.splunk.com/t5/Getting-Data-In/Hidden-syslog-configuration-on-heavy-forwarders/m-p/675425#M113036 Dominic32 2024-01-25T17:33:14Z https://community.splunk.com/t5/Getting-Data-In/Hidden-syslog-configuration-on-heavy-forwarders/m-p/675431#M113037 <P>Hi! you'll want to poke thru the docs on splunk config files:&nbsp;<A href="https://docs.splunk.com/Documentation/Splunk/9.1.2/Admin/AboutConfigurationFiles" target="_blank" rel="noopener">https://docs.splunk.com/Documentation/Splunk/9.1.2/Admin/AboutConfigurationFiles</A><BR /><BR />But tldr is I would use "btool" -&nbsp;<A href="https://docs.splunk.com/Documentation/Splunk/9.1.2/Troubleshooting/Usebtooltotroubleshootconfigurations" target="_blank" rel="noopener">https://docs.splunk.com/Documentation/Splunk/9.1.2/Troubleshooting/Usebtooltotroubleshootconfigurations</A><BR /><BR />and you'll want to go hunting for "inputs.conf" - this is where your spunk instances would be taking the data in, then comb thru props.conf - where the sourcetypes and event parsing/transformation/routing happens..<BR /><BR />It is also common to have splunk co-located with a syslog listener who puts logs down that we pick up. So a quick `ss -tulpn` or `netstat -tulpn` will show what ports, if any, are open on your Heavy Forwarders.&nbsp;<BR /><BR />so getting good with btool or reviewing Inputs and sourcetypes in your splunk ui will be key</P> Thu, 25 Jan 2024 17:58:25 GMT https://community.splunk.com/t5/Getting-Data-In/Hidden-syslog-configuration-on-heavy-forwarders/m-p/675431#M113037 mattymo 2024-01-25T17:58:25Z https://community.splunk.com/t5/Getting-Data-In/Hidden-syslog-configuration-on-heavy-forwarders/m-p/675443#M113039 <P>As stated I've tried searching through all files within /etc/* (including all .conf files) for the following:&nbsp;<SPAN>"514", "tcp", "udp", "syslog", or "SC4S". I get no results. You mentioned I should check inputs.conf, but I've already done this and found nothing - could you elaborate on what exactly I should be searching for? Are there additional keywords I should try?</SPAN><SPAN><BR />I confirmed that the Heavy Forwarders are listening on port 514. Syslog is working... I just don't see how it's configured.&nbsp;</SPAN></P><P><SPAN>Edit: I also want to ask - what could btool find that a sudo grep search wouldn't have located?</SPAN></P> Thu, 25 Jan 2024 20:45:16 GMT https://community.splunk.com/t5/Getting-Data-In/Hidden-syslog-configuration-on-heavy-forwarders/m-p/675443#M113039 Dominic32 2024-01-25T20:45:16Z https://community.splunk.com/t5/Getting-Data-In/Hidden-syslog-configuration-on-heavy-forwarders/m-p/677308#M113248 <P>SC4S was running in a docker container through Podman. Mystery solved!</P><P><A href="https://splunk.github.io/splunk-connect-for-syslog/main/gettingstarted/getting-started-splunk-setup/" target="_blank">Splunk Setup - Splunk Connect for Syslog</A></P> Mon, 12 Feb 2024 17:00:37 GMT https://community.splunk.com/t5/Getting-Data-In/Hidden-syslog-configuration-on-heavy-forwarders/m-p/677308#M113248 Dominic32 2024-02-12T17:00:37Z