https://community.splunk.com/t5/Getting-Data-In/existing-central-sysloghost-data-to-new-splunk-server/m-p/61322#M12196 <P>Assuming you can get the Splunk forwarder to run on OpenBSD -- which you may not be able to -- I would use approach #2. The cleanest approach by far is to use a Splunk forwarder reading the disk files created by syslogd. This gives you added resiliency during maintenance and certain outage situations.</P> <P>You'll be able to upgrade the splunk installations without losing any of your syslog data (because it will be destaged to disk by syslogd), and if there is an outage either on the indexer or the network between the forwarder and indexer you won't lose any data there either.</P> <P>A substantial issue, though, is that Splunk does not provide a native OpenBSD binary. And, no one has reported success using OpenBSD's FreeBSD compatibility ABI.</P> Sat, 20 Aug 2011 19:26:11 GMT dwaddle 2011-08-20T19:26:11Z https://community.splunk.com/t5/Getting-Data-In/existing-central-sysloghost-data-to-new-splunk-server/m-p/61321#M12195 <P>I have:</P> <OL> <LI>two existing OpenBSD Centralized Syslog loghosts (one is syslog-ng, one is syslogd)</LI> <LI>a new dedicated server for running Splunk</LI> </OL> <P>I would like to leave the central loghosts in place and move the data to my new splunk server for analysis. <BR /> From what I have read, it seems like my options are:</P> <OL> <LI>use syslog-ng on both loghosts and write/forward to a syslog-ng server on the splunk server</LI> <LI>use a splunk forwarder on loghosts to send data to splunk server</LI> <LI>set up an rsync/cron process from the loghosts to the splunk server</LI> <LI>set up a fifo on the loghost filesystems that writes locally and forwards to the splunk server</LI> <LI>write logs to shared storage that both loghosts and splunk server have access to</LI> </OL> <P>I started on option #1 but stopped when I couldn't get the syslog-ng port to compile with "--enable-spoof-source" under OpenBSD 4.9. </P> <P>Any recommendations or other options I should be considering? </P> <P>Thanks,</P> <P>-Tom </P> Sat, 20 Aug 2011 13:05:43 GMT https://community.splunk.com/t5/Getting-Data-In/existing-central-sysloghost-data-to-new-splunk-server/m-p/61321#M12195 tnorth 2011-08-20T13:05:43Z https://community.splunk.com/t5/Getting-Data-In/existing-central-sysloghost-data-to-new-splunk-server/m-p/61322#M12196 <P>Assuming you can get the Splunk forwarder to run on OpenBSD -- which you may not be able to -- I would use approach #2. The cleanest approach by far is to use a Splunk forwarder reading the disk files created by syslogd. This gives you added resiliency during maintenance and certain outage situations.</P> <P>You'll be able to upgrade the splunk installations without losing any of your syslog data (because it will be destaged to disk by syslogd), and if there is an outage either on the indexer or the network between the forwarder and indexer you won't lose any data there either.</P> <P>A substantial issue, though, is that Splunk does not provide a native OpenBSD binary. And, no one has reported success using OpenBSD's FreeBSD compatibility ABI.</P> Sat, 20 Aug 2011 19:26:11 GMT https://community.splunk.com/t5/Getting-Data-In/existing-central-sysloghost-data-to-new-splunk-server/m-p/61322#M12196 dwaddle 2011-08-20T19:26:11Z https://community.splunk.com/t5/Getting-Data-In/existing-central-sysloghost-data-to-new-splunk-server/m-p/61323#M12197 <P>Definitely option #2, if there is any way to make it work.</P> Sun, 21 Aug 2011 15:51:50 GMT https://community.splunk.com/t5/Getting-Data-In/existing-central-sysloghost-data-to-new-splunk-server/m-p/61323#M12197 lguinn2 2011-08-21T15:51:50Z https://community.splunk.com/t5/Getting-Data-In/existing-central-sysloghost-data-to-new-splunk-server/m-p/61324#M12198 <P>If you can't get a forwarder to run on the syslog host, you could run Splunk on Linux (or something else) and have it read from the NFS-exported log directory.</P> Mon, 22 Aug 2011 03:35:57 GMT https://community.splunk.com/t5/Getting-Data-In/existing-central-sysloghost-data-to-new-splunk-server/m-p/61324#M12198 gkanapathy 2011-08-22T03:35:57Z