topic Re: Getting Syslog logs into Splunk last version in Splunk Search

Getting Syslog logs into Splunk last version

porbea01 — Wed, 11 Mar 2020 15:51:22 GMT

Hi, I'm new in Splunk and I'm trying to collect Syslog log to indexers. I have read in Splunk documentation that Splunk Enterprise could listen on a TCP or UDP port for data coming from the syslog service on one or more machines, but that this option is no longer available in the latest versions. Can anyone help me know how to collect Syslog logs to analyze them with Splunk?

Re: Getting Syslog logs into Splunk last version

gcusello — Wed, 11 Mar 2020 15:55:50 GMT

Hi @porbea01,
why do you say that it isn't available in 8.0.2 version?
see at [Settings -- Data Inputs -- TCP/UDP -- Add New]
and you can add your network input.
for more infos see at https://docs.splunk.com/Documentation/Splunk/8.0.2/Data/Monitornetworkports

Ciao.
Giuseppe

Re: Getting Syslog logs into Splunk last version

porbea01 — Wed, 11 Mar 2020 18:19:34 GMT

Hi, I understand that I need a device that works as a Syslog server (in my case Syslog-ng) to collect all the logs from my network devices. What type of device do you recommend to use as an intermediate Syslog-ng server between my network devices and the Splunk instance?

Re: Getting Syslog logs into Splunk last version

gcusello — Thu, 12 Mar 2020 07:18:45 GMT

Hi @porbea01,
you have two choices:

use a Splunk Heavy Forwarder enabling the network input you need (TCP or UDP);
use a Syslog-ng server to receive logs that are written on a file and then use a Splunk Universal Forwarder to read these files and send them to Indexers.

I prefer the first solution because there isn't any delay between receiving and forwarding to Indexers, but anyway it's usually a very little delay.
In addition I prefer the first one to have only one component (Splunk Heavy Forwarder) and not two components (Syslog-ng and Splunk Universal Forwarder).
Anyway both solution are functional to the scope!
In both cases, I suggest to use a dedicated server.

In addition, to avoid a Single Point of Failure in both cases, I suggest to use two servers and a Load balancer to distribute load between servers during normal job and manage the eventual failure of one of them; this is needed because syslogs must be ingested in real time otherwise are lost.
If you haven't a Load Balancer, you can use DNS to associate two IP addresses to a DNS name.

Ciao.
Giuseppe

Re: Getting Syslog logs into Splunk last version

FrankVl — Thu, 12 Mar 2020 08:19:32 GMT

Why recommend using a HF, when a UF would serve perfectly fine for network inputs?

Also, there are several reasons why using network inputs is not considered best practice for ingesting syslog data. Using a syslog daemon that writes to files is significantly more robust against data loss (e.g. due to splunk blocking its input queues / during splunk restart); especially with UDP. It also allows making use of syslog's built in features to write logs from different devices to separate files / folders, potentially making host assignment in splunk easier and more efficient. It also makes troubleshooting easier.

Also more modern approaches are appearing the last few years, with several solutions for having a syslog daemon forward logs directly to a HEC endpoint. Cutting out the need of a forwarder completely resulting in a more performant, easier to load balance flow.

Re: Getting Syslog logs into Splunk last version

FrankVl — Thu, 12 Mar 2020 08:28:39 GMT

A virtual machine running a recent linux distro (or at least has a recent version of syslog-ng installed) with sufficient resources to handle your data volume. If you're worried about data loss, or want extra performance and better data balancing towards your splunk environment, you can also setup multiple of these boxes with a load balancer in front.

As mentioned in my comment above, it is usually recommended to have the syslog daemon write to file and install a UF on the same box to read from those files.

Alternatively you could look at solutions that allow the syslog server to send straight to HEC:
- Splunk Connect for Syslog: https://splunkbase.splunk.com/app/4740/
- its much simpler predecessor omsplunkhec: https://bitbucket.org/rfaircloth-splunk/rsyslog-omsplunk/src/445676ad128d8ca5de3b573c55450ecc13b3dd88/omsplunkhec.py
- your syslog daemon's native http destination: https://www.rfaircloth.com/2019/04/22/to-hec-with-syslog-all-grown-up/

Re: Getting Syslog logs into Splunk last version

gcusello — Thu, 12 Mar 2020 08:30:07 GMT

I accept your position and I'll consider it.
For the moment I maintain my idea but I'll put it in discussion!
Thank you.
Giuseppe

Re: Getting Syslog logs into Splunk last version

porbea01 — Thu, 12 Mar 2020 15:52:33 GMT

Thanks for the tips. I will be studying both recommendations.

Re: Getting Syslog logs into Splunk last version

nomad899 — Thu, 04 Mar 2021 02:26:12 GMT

Hey Frank, I'm trying to ingest syslog log data from meraki. Not using dedicated syslog server, I have got config on meraki pointed directly to my splunk forwarder and data input is configured with udp 514. Also, I have Ta-meraki addon enabled. The problem is I'm not getting anything on splunk search source type meraki.

Or do you have any recommendations on ingesting syslog data from these meraki to splunk?