topic Re: Not able to send logs to my syslog-ng server in Getting Data In

Not able to send logs to my syslog-ng server

g_paternicola — Tue, 22 Dec 2020 13:19:00 GMT

Hi eveyone, I'm try to send pihole.log to my syslog-ng server through an splunk universal forwarder.

Details about my system:
I configured following files:

inputs.conf [monitor:///var/log/pihole.log] disabled = false sourcetype = pihole:log output.conf [tcpout] defaultGroup = default-autolb-group [tcpout:default-autolb-group] server = 10.20.30.15:514 [tcpout-server://10.20.30.15:514] props.conf [dnsmasq] NO_BINARY_CHECK = true DATETIME_CONFIG = TIME_FORMAT = %b %d %H:%M:%S

The issue I'm gonna get is that the log file on the syslog side looks like this:

Dec 22 12:58:04 10.20.30.5 @ Dec 22 12:58:04 10.20.30.5 Dec 22 12:58:04 10.20.30.5 __s2s_capabilities Dec 22 12:58:04 10.20.30.5 ack=0;compression=0 Dec 22 12:58:04 10.20.30.5 _raw Dec 22 12:58:24 10.20.30.5 --splunk-cooked-mode-v3-- Dec 22 12:58:24 10.20.30.5 pihole Dec 22 12:58:24 10.20.30.5 8089 Dec 22 12:58:24 10.20.30.5 @ Dec 22 12:58:24 10.20.30.5 Dec 22 12:58:24 10.20.30.5 __s2s_capabilities Dec 22 12:58:24 10.20.30.5 ack=0;compression=0 Dec 22 12:58:24 10.20.30.5 _raw

which is not really much 🙂

Do you have a hint for me to solve this issue? I'd be very happy 🙂

Re: Not able to send logs to my syslog-ng server

aasabatini — Tue, 22 Dec 2020 13:34:19 GMT

Hi ,

To forward syslog data I suppose it's better use Splunk Heavyforwarder not Universal Forwarder.

The HF is only a normal splunk instance with Forwarding rule.

However I think it's better index the info logs and send to the syslog NG server.

Re: Not able to send logs to my syslog-ng server

g_paternicola — Tue, 22 Dec 2020 14:05:43 GMT

Even on HF I have to configure inputs.conf and outputs.conf like a UF, so what other should I configure on the HF in order to get the right data and not this garbage? Do I have to install the pihole app in order to get clearly data in and then forward it to my syslog?

Re: Not able to send logs to my syslog-ng server

aasabatini — Tue, 22 Dec 2020 14:20:23 GMT

Try to index data with the add (https://splunkbase.splunk.com/app/4505/) on and after forward to the syslog.

Yes you can forward the data via outputs.conf or GUI.

Re: Not able to send logs to my syslog-ng server

g_paternicola — Tue, 22 Dec 2020 14:27:57 GMT

Thank you very much for your answer, but is that a good way sending logs to Splunk HF > Syslog-NG and then again to Splunk ?

Re: Not able to send logs to my syslog-ng server

scelikok — Tue, 22 Dec 2020 14:44:52 GMT

@g_paternicola, if you want to forward all data to syslog server you can use UF. You should send data to syslog server by using syslog output. Please try below config,

outputs.conf

[syslog] defaultGroup=syslogGroup [syslog:syslogGroup] server = 10.20.30.15:514

If this reply helps you upvote is appreciated.

Re: Not able to send logs to my syslog-ng server

g_paternicola — Tue, 22 Dec 2020 15:09:09 GMT

@scelikok thank you for your hint! syslog stanza make really sense here... but I'm not gonna get any logs anymore...

Re: Not able to send logs to my syslog-ng server

scelikok — Tue, 22 Dec 2020 15:41:35 GMT

Sorry @g_paternicola, I missed that the syslog output processor is not available for UF. The same config should be running if you convert that UF to HF.