In my environment, I have a syslog server that collects all of the syslogs from all of my network devices, one of them being Juniper. On the syslog server, there is a directory for each device that sends its syslogs to the syslog server, and in each directory there is a rolling log file for each day where it writes all of the device's syslogs to the file for the day.
I was reading through the Splunk Add-on for Juniper's documentation, and it seems like it is designed to have the Juniper devices forward their data directly to the Splunk indexers on a specific port number. Would it be possible for me to install the app on my syslog server and forward the data from there instead?
you asked a similar question:
the answer is the same.
Splunk apps are designed to work on Splunk
bring the juniper data into splunk and install the app on splunk
read all the way through:
it will explain where to install teh app and how to send data to splunk
Yes, the first question I realized I asked about the brocade app when I realized I am using the brocade add-on, not the brocade app. I was going to delete that question but have no idea how.
For both cases, I read through the documentation first, which is how I ended up here with my question. The documentation for these add-ons do not cover my situation, as far as I understand. I understand that the add-on works if you forward data directly from the device (juniper in this case) to the splunk indexers, and have the add-on installed on the search heads and indexers. However, my situation is different.
As I explained in my question, my situation involves a syslog collection server. All of the juniper syslogs are being forwarded to the syslog server, written to a directory that contains rolling log files, then the universal forwarder that is installed on the syslog server is taking the rolling log files and forwarding them to the indexers. I have several types of devices all going to the syslog server, not just juniper. The Universal Forwarder forwards all of the devices data to the indexers using the same port, since all of the logs are being written to the same parent directory. The add-ons seem to be designed specifically to have the devices forward their data directly to the splunk indexers on a specific port. But, I don't have that option. So, I am left wanting to know if the add-on can work with my situation where the devices are forwarding their syslog data to a syslog server, and not directly to the splunk indexers.
I was able to get it to work with the same design. We have an syslog server running rsyslog, aggregating all firewall syslog streams. We're running the universal forward on this machine. I added the following monitor command in inputs.conf:
[monitor:///*directory*/*filename*.log disabled = false host = *hostname* index = *firewalls* sourcetype = juniper
The most important value is the sourcetype. As shown in transforms.conf, the add-on looks for sourcetype "juniper" and performs a regex to determine the type of Juniper log to append to the end of the sourcetype. In my case, it's an SRX log, so it appends ":junos:firewall" for "juniper:junos:firewall". Good luck! Let me know if you have any questions.
I now this an older post, but we're trying to do the same thing. We're using an intermediate log collector with a universal forwarder, but we're not getting all the extractions, host in particular. Is there something special you did on your Juniper device to get the correct log format? Thanks.
the add-ons are designed to "capture" log format and match sourcetypes to it so fields can be extracted.
you can bring the data into splunk and just install the add-ons on the forwarders and indexer and you will see magic happens
so to your question, yes it can.
some add-ons ask you to call the sourcetype syslog on your inputs statement.
kindly thoroughly read the all documents for the add-on for juniper.
i am positive it will answer your question and will work beautifully on splunk
many many users and clients use it the same way you are trying to use it, leveraging syslog
hope it helps