https://community.splunk.com/t5/Getting-Data-In/How-to-forward-logs-using-rsyslog/m-p/501850#M85510 <P>Put UF on your rsyslog box and read the files you are already writing.</P> Thu, 05 Dec 2019 17:02:54 GMT starcher 2019-12-05T17:02:54Z https://community.splunk.com/t5/Getting-Data-In/How-to-forward-logs-using-rsyslog/m-p/501849#M85509 <P>There are around 400 servers, which are already forwarding required logs to IBM Qradar using rsyslog. Instead of installing universal forwarders in every server, I want to add one more forwarder (Splunk HWF) in rsyslog config in order to receive logs from every servers. </P> <P>• What utility I need to install on log Collector<BR /> • Can I install this utility on HWF itself as load is very less on this server<BR /> • Where I will define index and sourcetype details in this case</P> Thu, 05 Dec 2019 13:24:08 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-forward-logs-using-rsyslog/m-p/501849#M85509 asharma21193 2019-12-05T13:24:08Z https://community.splunk.com/t5/Getting-Data-In/How-to-forward-logs-using-rsyslog/m-p/501850#M85510 <P>Put UF on your rsyslog box and read the files you are already writing.</P> Thu, 05 Dec 2019 17:02:54 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-forward-logs-using-rsyslog/m-p/501850#M85510 starcher 2019-12-05T17:02:54Z https://community.splunk.com/t5/Getting-Data-In/How-to-forward-logs-using-rsyslog/m-p/501851#M85511 <P><A href="http://www.georgestarcher.com/splunk-success-with-syslog/">http://www.georgestarcher.com/splunk-success-with-syslog/</A></P> Thu, 05 Dec 2019 17:03:57 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-forward-logs-using-rsyslog/m-p/501851#M85511 starcher 2019-12-05T17:03:57Z https://community.splunk.com/t5/Getting-Data-In/How-to-forward-logs-using-rsyslog/m-p/501852#M85512 <P>it is IBM log collector that we need to decommission. Kindly help with standard solution. </P> Fri, 06 Dec 2019 03:31:39 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-forward-logs-using-rsyslog/m-p/501852#M85512 asharma21193 2019-12-06T03:31:39Z https://community.splunk.com/t5/Getting-Data-In/How-to-forward-logs-using-rsyslog/m-p/501853#M85513 <P>The standard solution is to run a syslog collector with a UF as stated. You could make a new one and redirect syslog there. </P> Fri, 06 Dec 2019 03:44:12 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-forward-logs-using-rsyslog/m-p/501853#M85513 starcher 2019-12-06T03:44:12Z https://community.splunk.com/t5/Getting-Data-In/How-to-forward-logs-using-rsyslog/m-p/501854#M85514 <P>Can I install this utility on HWF itself as load is very less on this server ?<BR /> Where I will define index and sourcetype details in this case ?</P> Fri, 06 Dec 2019 03:46:05 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-forward-logs-using-rsyslog/m-p/501854#M85514 asharma21193 2019-12-06T03:46:05Z https://community.splunk.com/t5/Getting-Data-In/How-to-forward-logs-using-rsyslog/m-p/501855#M85515 <P>You shouldn't run a heavy forwarder to pickup syslog. You should use a universal forwarder. </P> <P>Configuration of either install can do it, however inputs and getting data in can be found at <A href="https://docs.splunk.com/Documentation/SplunkCloud/8.0.0/Data/Getstartedwithgettingdatain">https://docs.splunk.com/Documentation/SplunkCloud/8.0.0/Data/Getstartedwithgettingdatain</A></P> <P>You may want to consult your splunk administrator or professional services if you have not used splunk at all before.</P> Fri, 06 Dec 2019 13:50:25 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-forward-logs-using-rsyslog/m-p/501855#M85515 starcher 2019-12-06T13:50:25Z