Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
All Apps and Add-ons
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Apps and Add-ons
- :
- All Apps and Add-ons
- :
- syslog events not sent to Splunk
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
syslog events not sent to Splunk
Esky73
Builder
01-28-2021
05:40 AM
trying out SC4S - not seeing my syslog come through to Splunk
Installed all running docker - no firewalls or selinux
syslog hitting server running sc4s :
tcpdump -i eth0 dst port 514
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
00:24:24.962899 IP x.x.x.x.bob.com.38897 > 197-202-166-108-dedicated.multacom.com.syslog: SYSLOG local0.warning, length: 273
docker seems to be running fine - i receive HEC TEST EVENT's
and startup events in splunk : sc4s version=v1.47.3
sc4s logs :
[root@bob system]# docker logs SC4S
'/etc/syslog-ng/local_config/destinations/README.md' -> '/etc/syslog-ng/conf.d/local/config/destinations/README.md'
'/etc/syslog-ng/local_config/filters/README.md' -> '/etc/syslog-ng/conf.d/local/config/filters/README.md'
'/etc/syslog-ng/local_config/filters/example.conf' -> '/etc/syslog-ng/conf.d/local/config/filters/example.conf'
'/etc/syslog-ng/local_config/log_paths/README.md' -> '/etc/syslog-ng/conf.d/local/config/log_paths/README.md'
'/etc/syslog-ng/local_config/log_paths/lp-example.conf.tmpl' -> '/etc/syslog-ng/conf.d/local/config/log_paths/lp-example.conf.tmpl'
'/etc/syslog-ng/local_config/sources/README.md' -> '/etc/syslog-ng/conf.d/local/config/sources/README.md'
SC4S_ENV_CHECK_HEC: Splunk HEC connection test successful; checking indexes...
SC4S_ENV_CHECK_INDEX: Checking email {"text":"Success","code":0}
SC4S_ENV_CHECK_INDEX: Checking epav {"text":"Success","code":0}
SC4S_ENV_CHECK_INDEX: Checking epintel {"text":"Success","code":0}
SC4S_ENV_CHECK_INDEX: Checking epintelexit {"text":"Success","code":0}
SC4S_ENV_CHECK_INDEX: Checking fireeye {"text":"Success","code":0}
SC4S_ENV_CHECK_INDEX: Checking infraops {"text":"Success","code":0}
SC4S_ENV_CHECK_INDEX: Checking main {"text":"Success","code":0}
SC4S_ENV_CHECK_INDEX: Checking netauth {"text":"Success","code":0}
SC4S_ENV_CHECK_INDEX: Checking netdlp {"text":"Success","code":0}
SC4S_ENV_CHECK_INDEX: Checking netdns {"text":"Success","code":0}
SC4S_ENV_CHECK_INDEX: Checking netfw {"text":"Success","code":0}
SC4S_ENV_CHECK_INDEX: Checking netids {"text":"Success","code":0}
SC4S_ENV_CHECK_INDEX: Checking netipam {"text":"Success","code":0}
SC4S_ENV_CHECK_INDEX: Checking netops {"text":"Success","code":0}
SC4S_ENV_CHECK_INDEX: Checking netproxy {"text":"Success","code":0}
SC4S_ENV_CHECK_INDEX: Checking netwaf {"text":"Success","code":0}
SC4S_ENV_CHECK_INDEX: Checking osnix {"text":"Success","code":0}
SC4S_ENV_CHECK_INDEX: Checking oswin {"text":"Success","code":0}
SC4S_ENV_CHECK_INDEX: Checking oswinsec {"text":"Success","code":0}
syslog-ng checking config
sc4s version=v1.47.3
starting goss
starting syslog-ng
Get Updates on the Splunk Community!
Observability | How to Think About Instrumentation Overhead (White Paper)
Novice observability practitioners are often overly obsessed with performance. They might approach ...
Cloud Platform | Get Resiliency in the Cloud Event (Register Now!)
IDC Report: Enterprises Gain Higher Efficiency and Resiliency With Migration to Cloud
Today many enterprises ...
The Great Resilience Quest: 10th Leaderboard Update
The tenth leaderboard update (11.23-12.05) for The Great Resilience Quest is out >>
As our brave ...
