topic Re: Using Splunk Forwarder on syslog server to forward to splunk server in Getting Data In

Using Splunk Forwarder on syslog server to forward to splunk server

oranger1426 — Mon, 08 Apr 2013 10:27:52 GMT

Syslogs already has all the logs from other server using snare udp 514

Do I need to configure anything on the splunk forwarder to get logs from syslog?

Or it gets the syslogs on the syslog server automatically?

Re: Using Splunk Forwarder on syslog server to forward to splunk server

krugger — Mon, 08 Apr 2013 14:30:22 GMT

You can point any syslog towards the splunk server and configure the splunk server to receive syslog. So you can point snare to splunk, but you need to configure a receiving port first.

Or you can have a splunk forwarder índex the files on the syslog server and send it to splunk.

Re: Using Splunk Forwarder on syslog server to forward to splunk server

oranger1426 — Tue, 09 Apr 2013 01:17:11 GMT

so i just need to configure receiving index for splunk forwarder to 9997

for the syslog server, splunk forwarder automatically gets its data from syslog? (I don't need to do any config to syslog to forward the logs to splunk forwarder)?

Re: Using Splunk Forwarder on syslog server to forward to splunk server

stephenho — Tue, 09 Apr 2013 03:05:23 GMT

You'd need to set up your data inputs under

manager -> data inputs -> UDP -> NEW

From there you just add the port you want to use and point your syslog server to the port on the splunk server. However, if you have an agent running on the syslog server, it might be better to get syslog to pump the file to disk and read that. Doing that ensures that you don't lose any data if the splunk server goes down or if the network has issues. Otherwise, you can just share the drive to the splunk server and let Splunk pick it up as a local file.