https://community.splunk.com/t5/Getting-Data-In/Reading-Drupal-syslog-with-Splunk/m-p/277037#M96378 <P>If you are sending data to Splunk on UDP or TCP, in Splunk on the indexers did you enable data inputs/udp or data inputs/tcp on port 514?</P> Wed, 14 Sep 2016 15:14:33 GMT dmaislin_splunk 2016-09-14T15:14:33Z https://community.splunk.com/t5/Getting-Data-In/Reading-Drupal-syslog-with-Splunk/m-p/277034#M96375 <P>Hi, I have set the syslog Drupal and I followed this guide: <A href="http://www.asmallwebfirm.net/blogs/2013/04/achieving-drupal-log-bliss-splunk">http://www.asmallwebfirm.net/blogs/2013/04/achieving-drupal-log-bliss-splunk</A><BR /> Without the syslog drupal configuration, now I want to read log files (which I set in the syslog var / log / drupal.log folder) with Splunk.<BR /> Can you help to set Splunk to read the log drupal?</P> Wed, 14 Sep 2016 11:41:17 GMT https://community.splunk.com/t5/Getting-Data-In/Reading-Drupal-syslog-with-Splunk/m-p/277034#M96375 88mac 2016-09-14T11:41:17Z https://community.splunk.com/t5/Getting-Data-In/Reading-Drupal-syslog-with-Splunk/m-p/277035#M96376 <P>I have no idea what your Splunk experience is, but:</P> <P>Install a <STRONG>Splunk Forwarder</STRONG> on the Drupal server to forward data from the forwarder to the Splunk Server. This means there is a properly configured outputs.conf that knows where to send the data. Also ensure your <STRONG>Splunk Server</STRONG> has receiving enabled on port 9997 by default.</P> <P>On the forwarder you also need an inputs.conf:</P> <PRE><CODE>[monitor:///var/log/drupal.log] sourcetype=drupal </CODE></PRE> <P>Once you restart the forwarder it should start sending logs to your Splunk server. I hope this helps.</P> Wed, 14 Sep 2016 12:58:46 GMT https://community.splunk.com/t5/Getting-Data-In/Reading-Drupal-syslog-with-Splunk/m-p/277035#M96376 dmaislin_splunk 2016-09-14T12:58:46Z https://community.splunk.com/t5/Getting-Data-In/Reading-Drupal-syslog-with-Splunk/m-p/277036#M96377 <P>I use on Drupal, the file rsyslog.conf.<BR /> At the end of this file, I put in this code: <BR /> local0.* /var/log/drupal.log<BR /> local0.* @@ip:ports </P> <P>Splunk now it enables the port, but nothing happens. Splunk does not see the Drupal data</P> Wed, 14 Sep 2016 14:33:25 GMT https://community.splunk.com/t5/Getting-Data-In/Reading-Drupal-syslog-with-Splunk/m-p/277036#M96377 88mac 2016-09-14T14:33:25Z https://community.splunk.com/t5/Getting-Data-In/Reading-Drupal-syslog-with-Splunk/m-p/277037#M96378 <P>If you are sending data to Splunk on UDP or TCP, in Splunk on the indexers did you enable data inputs/udp or data inputs/tcp on port 514?</P> Wed, 14 Sep 2016 15:14:33 GMT https://community.splunk.com/t5/Getting-Data-In/Reading-Drupal-syslog-with-Splunk/m-p/277037#M96378 dmaislin_splunk 2016-09-14T15:14:33Z https://community.splunk.com/t5/Getting-Data-In/Reading-Drupal-syslog-with-Splunk/m-p/277038#M96379 <P>Then I go on Splunk on "Forwarding and receiving", "Receive data" and imposed on port 514? Correct?</P> Wed, 14 Sep 2016 15:23:02 GMT https://community.splunk.com/t5/Getting-Data-In/Reading-Drupal-syslog-with-Splunk/m-p/277038#M96379 88mac 2016-09-14T15:23:02Z https://community.splunk.com/t5/Getting-Data-In/Reading-Drupal-syslog-with-Splunk/m-p/277039#M96380 <P>No. Settings/Forwarding and Receiving is when you use forwarders on port 9997 (default).</P> <P>Settings/Data Inputs/UDP or TCP is where you add 514 with rsyslog.</P> Wed, 14 Sep 2016 15:48:50 GMT https://community.splunk.com/t5/Getting-Data-In/Reading-Drupal-syslog-with-Splunk/m-p/277039#M96380 dmaislin_splunk 2016-09-14T15:48:50Z