https://community.splunk.com/t5/Getting-Data-In/Using-syslog-to-forward-data-or-Universal-forwarder/m-p/194909#M38781 <P>I have setup splunk 6.1.1. In our environment we are running rsyslog in a failover configuration.<BR /> Rsyslog is collecting all the data and then forwarding the data to Splunk. Splunk is configured<BR /> with a tcp receiver on port 514. The one issue we are running into is we are getting a large number<BR /> of entries that are not syslog compliant. We are then getting hosts with names such as 2014,14z etc.<BR /> I am looking for advice on what would be the best way to reduce these errors? Would the universal forwarder work better at detecting log types and then forwarding it to Splunk?</P> Tue, 10 Jun 2014 18:51:48 GMT andywt123 2014-06-10T18:51:48Z https://community.splunk.com/t5/Getting-Data-In/Using-syslog-to-forward-data-or-Universal-forwarder/m-p/194909#M38781 <P>I have setup splunk 6.1.1. In our environment we are running rsyslog in a failover configuration.<BR /> Rsyslog is collecting all the data and then forwarding the data to Splunk. Splunk is configured<BR /> with a tcp receiver on port 514. The one issue we are running into is we are getting a large number<BR /> of entries that are not syslog compliant. We are then getting hosts with names such as 2014,14z etc.<BR /> I am looking for advice on what would be the best way to reduce these errors? Would the universal forwarder work better at detecting log types and then forwarding it to Splunk?</P> Tue, 10 Jun 2014 18:51:48 GMT https://community.splunk.com/t5/Getting-Data-In/Using-syslog-to-forward-data-or-Universal-forwarder/m-p/194909#M38781 andywt123 2014-06-10T18:51:48Z https://community.splunk.com/t5/Getting-Data-In/Using-syslog-to-forward-data-or-Universal-forwarder/m-p/194910#M38782 <P>Depending on what information / insights you're looking for, there might be certain info needed from forwarders, in order to put the right data in the right indexes to make the Apps work as designed.<BR /> SplunkForwarder can collect metrics / stats from Windows, Linux, etc. that are often not easily attainable via syslog (See <A href="http://docs.splunk.com/Documentation/Splunk/6.2.1/Forwarding/Aboutforwardingandreceivingdata">About forwarding and receiving</A>).</P> <P>How many syslog sources are you sending through your rsyslog, and what OS are they?<BR /> If you aren't sure how to track any possible trends related to where the malformed log entries, then <A href="http://docs.splunk.com/Documentation/Splunk/6.2.1/Updating/Aboutdeploymentserver">setting up Deployment</A> and installing forwarders instead of syslog could definitely help you clean up your data (format errors), as well as provide additional data to bring the apps to life.</P> Thu, 18 Dec 2014 05:00:32 GMT https://community.splunk.com/t5/Getting-Data-In/Using-syslog-to-forward-data-or-Universal-forwarder/m-p/194910#M38782 bcdady 2014-12-18T05:00:32Z