<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Re: Syslog and Splunk? in Getting Data In</title>
    <link>https://community.splunk.com/t5/Getting-Data-In/Syslog-and-Splunk/m-p/507119#M86296</link>
    <description>&lt;P&gt;See&amp;nbsp;&lt;A href="http://www.georgestarcher.com/splunk-success-with-syslog/" target="_self"&gt;http://www.georgestarcher.com/splunk-success-with-syslog/&lt;/A&gt;&amp;nbsp;for a good description of why one shouldn't send syslog directly into Splunk and how to use a syslog server instead.&lt;/P&gt;&lt;P&gt;You should be able to configure rsyslog or syslog-ng to filter your VPN data for you.&lt;/P&gt;&lt;P&gt;If your syslog server is on the same server as Splunk then there's no need for a forwarder.&amp;nbsp; Just define input(s) to monitor the directories where the syslog data is stored.&lt;/P&gt;</description>
    <pubDate>Thu, 02 Jul 2020 17:40:54 GMT</pubDate>
    <dc:creator>richgalloway</dc:creator>
    <dc:date>2020-07-02T17:40:54Z</dc:date>
    <item>
      <title>Syslog and Splunk?</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Syslog-and-Splunk/m-p/506956#M86276</link>
      <description>&lt;P&gt;Hello Everyone,&amp;nbsp;&lt;/P&gt;&lt;P&gt;We are sending VPN data via syslog over UDP to our splunk server. The reason we are using syslog and not a forwarder is because we wanted to filter the VPN logins to only show the ones that are for our environment this is why we used syslog. Anyways my concern is I have been reading online that having the syslog sent to the splunk server can cause issues and splunk would need to operate as root to access the syslogs. Should I have a separate server for the syslogs then figure out a way to send them to the splunk server?&amp;nbsp;&lt;/P&gt;</description>
      <pubDate>Thu, 02 Jul 2020 01:09:33 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Syslog-and-Splunk/m-p/506956#M86276</guid>
      <dc:creator>splunktrainingu</dc:creator>
      <dc:date>2020-07-02T01:09:33Z</dc:date>
    </item>
    <item>
      <title>Re: Syslog and Splunk?</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Syslog-and-Splunk/m-p/506979#M86279</link>
      <description>&lt;P&gt;Hi&amp;nbsp;&lt;a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/59944"&gt;@splunktrainingu&lt;/a&gt;&amp;nbsp;,&lt;/P&gt;&lt;P&gt;I don't like syslogs because if you have a problem (maintenance, congetione, etc...), you lose them.&lt;/P&gt;&lt;P&gt;If your need is only to filter logs, you can do this following the documentation at&amp;nbsp;&lt;A href="https://docs.splunk.com/Documentation/Splunk/8.0.4/Forwarding/Routeandfilterdatad#Filter_event_data_and_send_to_queues" target="_blank"&gt;https://docs.splunk.com/Documentation/Splunk/8.0.4/Forwarding/Routeandfilterdatad#Filter_event_data_and_send_to_queues&lt;/A&gt;&lt;/P&gt;&lt;P&gt;Anyway, there isn't any problem taking syslogs and the the access to the syslogs is the same of the other files: if you set grants for splunk user, you can access the syslogs.&lt;/P&gt;&lt;P&gt;If you want to use syslogs, it's a good practice to use two Heavy Forwarders with a Load Balancer to take them, so you can separate this function from the Indexers, two and a LB for HA needs.&lt;/P&gt;&lt;P&gt;Ciao.&lt;/P&gt;&lt;P&gt;Giuseppe&lt;/P&gt;</description>
      <pubDate>Thu, 02 Jul 2020 07:10:13 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Syslog-and-Splunk/m-p/506979#M86279</guid>
      <dc:creator>gcusello</dc:creator>
      <dc:date>2020-07-02T07:10:13Z</dc:date>
    </item>
    <item>
      <title>Re: Syslog and Splunk?</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Syslog-and-Splunk/m-p/507117#M86295</link>
      <description>&lt;P&gt;&lt;a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/161352"&gt;@gcusello&lt;/a&gt;&amp;nbsp;Sorry I want to clarify something.&amp;nbsp; &amp;nbsp;But do I need two Heavy forwarders if the syslog is already on the same server as my splunk server? If I wanted to use the Heavy forwarders with load balancer then wouldn't I have to setup a separate syslog server that then forwards to my splunk server?&lt;/P&gt;</description>
      <pubDate>Thu, 02 Jul 2020 16:58:18 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Syslog-and-Splunk/m-p/507117#M86295</guid>
      <dc:creator>splunktrainingu</dc:creator>
      <dc:date>2020-07-02T16:58:18Z</dc:date>
    </item>
    <item>
      <title>Re: Syslog and Splunk?</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Syslog-and-Splunk/m-p/507119#M86296</link>
      <description>&lt;P&gt;See&amp;nbsp;&lt;A href="http://www.georgestarcher.com/splunk-success-with-syslog/" target="_self"&gt;http://www.georgestarcher.com/splunk-success-with-syslog/&lt;/A&gt;&amp;nbsp;for a good description of why one shouldn't send syslog directly into Splunk and how to use a syslog server instead.&lt;/P&gt;&lt;P&gt;You should be able to configure rsyslog or syslog-ng to filter your VPN data for you.&lt;/P&gt;&lt;P&gt;If your syslog server is on the same server as Splunk then there's no need for a forwarder.&amp;nbsp; Just define input(s) to monitor the directories where the syslog data is stored.&lt;/P&gt;</description>
      <pubDate>Thu, 02 Jul 2020 17:40:54 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Syslog-and-Splunk/m-p/507119#M86296</guid>
      <dc:creator>richgalloway</dc:creator>
      <dc:date>2020-07-02T17:40:54Z</dc:date>
    </item>
    <item>
      <title>Re: Syslog and Splunk?</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Syslog-and-Splunk/m-p/507129#M86298</link>
      <description>&lt;P&gt;&lt;EM&gt;If your syslog server is on the same server as Splunk then there's no need for a forwarder.&amp;nbsp; Just define input(s) to monitor the directories where the syslog data is stored.&amp;nbsp;&lt;/EM&gt;&lt;/P&gt;&lt;P&gt;&lt;a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/213957"&gt;@richgalloway&lt;/a&gt;&amp;nbsp; when you say inputs.conf file do you mean the inputs.conf file in Splunk/opt/splunk/etc/system/local ?&lt;/P&gt;</description>
      <pubDate>Thu, 02 Jul 2020 18:55:12 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Syslog-and-Splunk/m-p/507129#M86298</guid>
      <dc:creator>splunktrainingu</dc:creator>
      <dc:date>2020-07-02T18:55:12Z</dc:date>
    </item>
    <item>
      <title>Re: Syslog and Splunk?</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Syslog-and-Splunk/m-p/507134#M86299</link>
      <description>That's one option. You could also use an inputs.conf file in a custom app.</description>
      <pubDate>Thu, 02 Jul 2020 19:06:04 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Syslog-and-Splunk/m-p/507134#M86299</guid>
      <dc:creator>richgalloway</dc:creator>
      <dc:date>2020-07-02T19:06:04Z</dc:date>
    </item>
    <item>
      <title>Re: Syslog and Splunk?</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Syslog-and-Splunk/m-p/507141#M86301</link>
      <description>&lt;P&gt;Which inputs.conf file are you talking about? Would it be easier to make an index that points to the location of the syslog?&lt;/P&gt;</description>
      <pubDate>Thu, 02 Jul 2020 19:38:14 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Syslog-and-Splunk/m-p/507141#M86301</guid>
      <dc:creator>splunktrainingu</dc:creator>
      <dc:date>2020-07-02T19:38:14Z</dc:date>
    </item>
    <item>
      <title>Re: Syslog and Splunk?</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Syslog-and-Splunk/m-p/507148#M86303</link>
      <description>&lt;P&gt;I'm talking about ANY inputs.conf file. It doesn't make much difference. You can use $SPLUNK_HOME/etc/system/local/inputs.conf if you prefer, but I prefer to put my custom configs in an app I create, like $SPLUNK_HOME/etc/apps/my_inputs/local/inputs.conf.&lt;BR /&gt;It's not possible to make an index point to the location of the syslog. You must define an input that reads from the syslog file(s) and writes to an index.&lt;/P&gt;</description>
      <pubDate>Fri, 03 Jul 2020 12:54:42 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Syslog-and-Splunk/m-p/507148#M86303</guid>
      <dc:creator>richgalloway</dc:creator>
      <dc:date>2020-07-03T12:54:42Z</dc:date>
    </item>
  </channel>
</rss>

