topic Does rsyslog work well with Splunk in Getting Data In

Does rsyslog work well with Splunk

dcroteau — Thu, 29 Mar 2012 17:52:28 GMT

Does both Enterprise (supported) and free rsyslog support wildcarding?

Does rsyslog work well with Splunk?

Is Rsyslog supported on PowerPC running LINUX?

Re: Does rsyslog work well with Splunk

Brian_Osburn — Thu, 29 Mar 2012 18:16:01 GMT

I'd check the rsyslog web site with regards to what it supports or what it doesn't.

If it's a flavor of *syslog, then Splunk can consume it directly (not recommended in my opinion), or if it can write to a log and then have Splunk consume that log (little more failsafe).

Brian

Re: Does rsyslog work well with Splunk

dcroteau — Thu, 29 Mar 2012 18:20:15 GMT

I wish I could distinguish support for wildcarding on any website, that's why I wanted to run it by the community.

Re: Does rsyslog work well with Splunk

christopher_hod — Thu, 29 Mar 2012 18:24:23 GMT

We use rsyslog. All networking equipment send it's logs to a central syslog server(*) that then uses this rule:

$template DynaFile,"/var/log/syslog/system-%FROMHOST%.log",500000

We then grab them with an inputs.conf that looks like this:

[monitor:///var/log/syslog]
index = syslog
sourcetype = syslog
host_regex = /var/log/syslog/system-(.*).log*

(*) It's actually a VIP that goes to a load balancer, but that's not really important to this discussion.

Re: Does rsyslog work well with Splunk

dcroteau — Thu, 29 Mar 2012 18:28:16 GMT

That is rsyslog wildcarding

Re: Does rsyslog work well with Splunk

dcroteau — Thu, 29 Mar 2012 18:32:05 GMT

Thanks Mike, With our messages we'd lose the original source if we did it that way. Again, does either rsyslog support wildcarding.

Re: Does rsyslog work well with Splunk

christopher_hod — Thu, 29 Mar 2012 18:44:02 GMT

I'm not sure what you mean by wildcarding in this context.

But this is a splunk message board and I can only comment on how splunk interacts with rsyslog.

As far as source goes, if you're using syslog, you're not going to get much more than source=syslog anyway.

If you want more specific sourcetypes, I can give you examples of that.

Re: Does rsyslog work well with Splunk

dcroteau — Fri, 30 Mar 2012 15:04:01 GMT

First, let me say that there is no "enterprise" version of rsyslog, at least for the time being. There is just one very capable version, but you can purchase support with it (what, of course, I appreciate ;)).

I don't see any reason why rsyslog should not run on PowerPC. Did you try a compile and it failed? If so, please let me know what happened. I do not have a PowerPC environment to test myself.

Re: Does rsyslog work well with Splunk

eric_budke — Fri, 09 Aug 2013 14:54:34 GMT

And your FROMHOST doesn't get replaced with the VIP IP/hostname?