topic How to send syslog-ng messages to Splunk properly? in Getting Data In

How to send syslog-ng messages to Splunk properly?

Katey — Mon, 02 Aug 2010 15:20:13 GMT

How to send syslog-ng messages to Splunk properly? I'm using Free 'splunk-4.1.4-82143-linux-2.6-intel.deb' and 'syslog-ng 2.0.9-4.1' on Debian Lenny. Both are installed on the same machine, one host, small server. I want Splunk to read from syslog-ng.

I have read so many articles on how to send syslog-ng to Splunk and still feel lost and very frustrated as information is either outdated, contradicts another article, is for Windows, or is incomplete- one exmaple of many http://www.splunk.com/wiki/Deploy:CreateSyslogNGRules

So far the methods I think to do this are either:

Create a pipe mkfifo from syslog-ng to splunk? - I read splunk doesn't recommend the usage of fifo
Add the syslog log to Manager ->Data inputs->TCP/Add new/select source type: From list/select source type from list: syslog/ Index select main (there isn't 'default' on the list), done? I don't need to add anything to syslog-ng?
Add the syslog log to Manager ->Data inputs->File & directories->Add new -> /var/log/syslog Index select main, add /var/log/*.log , done?
Forwarder ? (wouldn't this be only for sending to another machine) and TCP forwarding only works in Enterprise edition? Manager->Fowarding and receiving->Receive data->Add new, enter 514 and be done with it? I don't need to add anything to syslog-ng or /opt/splunk/etc/system/local/inputs.conf?

Please if you could tell me the best and correct method for my setup.

Thank you, Katey

Re: How to send syslog-ng messages to Splunk properly?

ftk — Mon, 02 Aug 2010 20:29:42 GMT

Katey, solution 3 you posted sounds best.

Basically you would want to set up syslog-ng on your splunk server and index the log files it generates. Point your managed hosts to send syslog to the syslog-ng instance on your splunk server and you're done.

I recommend configuring syslog-ng to create a log file per host, preferably in a directory structure that identifies the host:

/var/log/syslog-ng/hostA/logfile.log
/var/log/syslog-ng/hostB/logfile.log
/var/log/syslog-ng/hostC/logfile.log

And then when configuring your monitor, set the host to be dynamically defined based on a segment in the path (in this case segment 4). Check out http://www.splunk.com/base/Documentation/latest/Admin/Setadefaulthostforaninput#Dynamically_setting_the_default_host_value_for_a_file_or_directory_input for more info.

Hope this will get you down the right track.

Re: How to send syslog-ng messages to Splunk properly?

Katey — Tue, 03 Aug 2010 14:45:19 GMT

Thank you ftk very much for your reply. I think this shouldn't be as hard as I've made it. I want syslog-ng to send to Splunk also - presently syslog-ng sends to logs it writes to & sends to MySQL for LogZilla. I use LogZilla and it was as easy as just installing it - LogZilla added its own entries to syslog-ng.conf.

I understand the adding the files (solution 3) but I have it in my mind somehow I'm suppose to have syslog-ng feed directly to Splunk as I was doing with the fifo (not add log by log (clone)) . So I thought then I must send syslog-ng directly to Splunk via TCP port and it will sort out what goes where (instead of reading all the logs in /var/log) :/. Does that make sense? 😄

You replied:

"Point your managed hosts to send syslog to the syslog-ng" <-I'm not using syslog I believe, I'm using only syslog-ng and syslog-ng is working.

"configuring syslog-ng to create a log file per host" <- I have only one host/server/IP- just the box it is installed on, so I don't believe I need to do this?

"And then when configuring your monitor, set the host to be dynamically defined based on a segment in the path (in this case segment 4)" <-Tho I have only one host/IP I should still do this?: Set host: segment in path, Segment #: 4

Thank you again ftk 🙂

Re: How to send syslog-ng messages to Splunk properly?

stephanbuys — Tue, 03 Aug 2010 16:20:43 GMT

Katey, in one of my environments I have a similar setup and I would recommend that you go with proposal 3. (Add the syslog log to Manager ->Data inputs->File & directories->Add new -> /var/log/syslog).

You dont have to configure the whitelist regex.

The advantage of this approach is that Splunk will automatically monitor /var/log/syslog and in the event of Splunk ever stopping (for example because of a reboot) it will be able to continue where it left off, it automatically keeps track of it's progress when in this mode.

Adding a forwarder is just adding complexity and overhead.

Re: How to send syslog-ng messages to Splunk properly?

Katey — Tue, 03 Aug 2010 16:58:50 GMT

Thank you stephanbuys. I feel more confident knowing others use this same method then. I have added these logs, no regex, segment 4, main index, auto detect type all except syslog I added under file list as syslog (didn't know if the others should be under syslog as well): /var/log/auth.log /var/log/cron.log /var/log/daemon.log /var/log/debug /var/log/kern.log /var/log/mail.err /var/log/mail.log /var/log/messages /var/log/syslog /var/log/user.log /var/log/uucp.log

Since those are the ones syslog-ng writes.

Thank you again :))