<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Re: Issue Getting Data In to Splunk Cloud in Getting Data In</title>
    <link>https://community.splunk.com/t5/Getting-Data-In/Issue-Getting-Data-In-to-Splunk-Cloud/m-p/560824#M92676</link>
    <description>&lt;P&gt;HI&amp;nbsp;&lt;a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/235933"&gt;@qcjacobo2577&lt;/a&gt;&amp;nbsp;&lt;BR /&gt;&lt;BR /&gt;Have you checked ? running this as root!&lt;BR /&gt;Please give your feedback so that it will be very helpful for the persons who are trying to learn splunk. Thank you&lt;/P&gt;</description>
    <pubDate>Mon, 26 Jul 2021 15:44:07 GMT</pubDate>
    <dc:creator>mahithclt</dc:creator>
    <dc:date>2021-07-26T15:44:07Z</dc:date>
    <item>
      <title>Issue Getting Data In to Splunk Cloud</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Issue-Getting-Data-In-to-Splunk-Cloud/m-p/557710#M92301</link>
      <description>&lt;P&gt;We are in the midst of standing up our Splunk Cloud environment. Our architecture and data flows are as follows:&lt;/P&gt;&lt;P&gt;Syslog-NG (w/ Splunk UF Installed) &amp;gt; On-Premise Splunk Heavy Forwarder &amp;gt; Splunk Cloud&lt;/P&gt;&lt;P&gt;I am trying to make sure all of my configurations are sound for getting data from my Syslog Server into Splunk Cloud --- and it would appear that some things are incorrect.&amp;nbsp;&amp;nbsp;&lt;/P&gt;&lt;P&gt;Right now, my configurations are such:&lt;/P&gt;&lt;P&gt;===Syslog-NG Configuration===&lt;BR /&gt;@version: 3.25&lt;BR /&gt;@include "scl.conf"&lt;BR /&gt;options {&lt;BR /&gt;chain_hostnames(no);&lt;BR /&gt;create_dirs (yes);&lt;BR /&gt;dir_perm(0755);&lt;BR /&gt;dns_cache(yes);&lt;BR /&gt;keep_hostname(yes);&lt;BR /&gt;log_fifo_size(2048);&lt;BR /&gt;log_msg_size(8192);&lt;BR /&gt;perm(0644);&lt;BR /&gt;time_reopen (10);&lt;BR /&gt;use_dns(yes);&lt;BR /&gt;};&lt;/P&gt;&lt;P&gt;source s_paloalto { tcp(port(5141) flags(no-parse,store-raw-message)); };&lt;BR /&gt;source s_locallogs { system(); internal(); };&lt;/P&gt;&lt;P&gt;destination d_paloalto { file("/var/log/splunkcloud/paloalto/\$HOST/\$YEAR-\$MONTH-\$DAY-palo.log"); };&lt;BR /&gt;destination d_locallogs { file("/var/log/splunkcloud/systemlogs/\$HOST/\$YEAR-\$MONTH-\$DAY-system.log"); };&lt;/P&gt;&lt;P&gt;log { source(s_paloalto); destination(d_paloalto); };&lt;BR /&gt;log { source(s_locallogs);destination(d_locallogs); };&lt;/P&gt;&lt;P&gt;=======================&lt;/P&gt;&lt;P&gt;===Syslog-NG Splunk UF Inputs.Conf===&lt;/P&gt;&lt;P&gt;&lt;BR /&gt;[monitor:///var/log/splunklogs/paloalto]&lt;BR /&gt;disabled = 0&lt;BR /&gt;index=network&lt;BR /&gt;sourcetype=paloalto&lt;/P&gt;&lt;P&gt;[monitor:///var/log/splunklogs/systemlogs]&lt;BR /&gt;disabled = 0&lt;BR /&gt;index=syslogs&lt;BR /&gt;sourcetype=syslogs&lt;/P&gt;&lt;P&gt;=======================&lt;/P&gt;&lt;P&gt;===Syslog-NG Splunk UF Outputs.Conf===&lt;/P&gt;&lt;P&gt;&lt;BR /&gt;[tcpout]&lt;BR /&gt;defaultGroup = syslogs_group, paloalto_group&lt;/P&gt;&lt;P&gt;[tcpout:syslogs_group]&lt;BR /&gt;server=x.x.x.x:5140&lt;/P&gt;&lt;P&gt;[tcpout:paloalto_group]&lt;BR /&gt;server=x.x.x.x:5141&lt;/P&gt;&lt;P&gt;=======================&lt;/P&gt;&lt;P&gt;===Splunk HF Inputs.Conf===&lt;/P&gt;&lt;P&gt;&lt;BR /&gt;[tcp://:5140]&lt;BR /&gt;index=syslogs&lt;BR /&gt;sourcetype=syslogs&lt;/P&gt;&lt;P&gt;[tcp://:5141]&lt;BR /&gt;index=network&lt;BR /&gt;sourcetype=paloalto&lt;/P&gt;&lt;P&gt;=======================&lt;/P&gt;&lt;P&gt;With that, all I am getting in to Splunk Cloud are the following (or similar):&lt;BR /&gt;--splunk-cooked-mode-v3--\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00s-drsyslog-1\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x008089\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00@\x00\x00\x00&amp;#1;\x00\x00\x00&amp;#19;__s2s_capabilities\x00\x00\x00\x00&amp;#20;ack=0;compression=0\x00\x00\x00\x00\x00\x00\x00\x00&amp;#5;_raw\x00&lt;/P&gt;&lt;P&gt;I did manually create an index on our HF named "syslogs", but while I can query the index, did not seem to make any difference with respect to the data itself.&lt;/P&gt;</description>
      <pubDate>Tue, 29 Jun 2021 23:59:19 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Issue-Getting-Data-In-to-Splunk-Cloud/m-p/557710#M92301</guid>
      <dc:creator>qcjacobo2577</dc:creator>
      <dc:date>2021-06-29T23:59:19Z</dc:date>
    </item>
    <item>
      <title>Re: Issue Getting Data In to Splunk Cloud</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Issue-Getting-Data-In-to-Splunk-Cloud/m-p/558203#M92355</link>
      <description>&lt;P&gt;I notice that the Splunk logs you are monitoring are under /var/log/splunklogs/&lt;/P&gt;&lt;P&gt;By default, /var/log is owned by root so if you are running Splunk as a non-root user it won't have access to the splunklogs sub-directory or the log files within it.&lt;/P&gt;</description>
      <pubDate>Fri, 02 Jul 2021 20:05:33 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Issue-Getting-Data-In-to-Splunk-Cloud/m-p/558203#M92355</guid>
      <dc:creator>codebuilder</dc:creator>
      <dc:date>2021-07-02T20:05:33Z</dc:date>
    </item>
    <item>
      <title>Re: Issue Getting Data In to Splunk Cloud</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Issue-Getting-Data-In-to-Splunk-Cloud/m-p/560824#M92676</link>
      <description>&lt;P&gt;HI&amp;nbsp;&lt;a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/235933"&gt;@qcjacobo2577&lt;/a&gt;&amp;nbsp;&lt;BR /&gt;&lt;BR /&gt;Have you checked ? running this as root!&lt;BR /&gt;Please give your feedback so that it will be very helpful for the persons who are trying to learn splunk. Thank you&lt;/P&gt;</description>
      <pubDate>Mon, 26 Jul 2021 15:44:07 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Issue-Getting-Data-In-to-Splunk-Cloud/m-p/560824#M92676</guid>
      <dc:creator>mahithclt</dc:creator>
      <dc:date>2021-07-26T15:44:07Z</dc:date>
    </item>
    <item>
      <title>Re: Issue Getting Data In to Splunk Cloud</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Issue-Getting-Data-In-to-Splunk-Cloud/m-p/560834#M92677</link>
      <description>&lt;P&gt;Indeed the files in question were permissioned to root.&amp;nbsp; Once I changed the permissions, everything worked as expected.&amp;nbsp; Thank you for your help!&lt;/P&gt;</description>
      <pubDate>Mon, 26 Jul 2021 17:17:05 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Issue-Getting-Data-In-to-Splunk-Cloud/m-p/560834#M92677</guid>
      <dc:creator>qcjacobo2577</dc:creator>
      <dc:date>2021-07-26T17:17:05Z</dc:date>
    </item>
    <item>
      <title>Re: Issue Getting Data In to Splunk Cloud</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Issue-Getting-Data-In-to-Splunk-Cloud/m-p/560836#M92678</link>
      <description>&lt;P&gt;Glad to help! If this resolved your issue please mark it as the Solution as it will help others who come along later &lt;span class="lia-unicode-emoji" title=":slightly_smiling_face:"&gt;🙂&lt;/span&gt;&lt;/P&gt;</description>
      <pubDate>Mon, 26 Jul 2021 17:38:59 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Issue-Getting-Data-In-to-Splunk-Cloud/m-p/560836#M92678</guid>
      <dc:creator>codebuilder</dc:creator>
      <dc:date>2021-07-26T17:38:59Z</dc:date>
    </item>
  </channel>
</rss>

