syslog events not sent to Splunk

Esky73 · ‎01-28-2021

trying out SC4S - not seeing my syslog come through to Splunk

Installed all running docker - no firewalls or selinux

syslog hitting server running sc4s :

tcpdump -i eth0 dst port 514
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
00:24:24.962899 IP x.x.x.x.bob.com.38897 > 197-202-166-108-dedicated.multacom.com.syslog: SYSLOG local0.warning, length: 273

docker seems to be running fine - i receive HEC TEST EVENT's

and startup events in splunk : sc4s version=v1.47.3

sc4s logs :

[root@bob system]# docker logs SC4S
'/etc/syslog-ng/local_config/destinations/README.md' -> '/etc/syslog-ng/conf.d/local/config/destinations/README.md'
'/etc/syslog-ng/local_config/filters/README.md' -> '/etc/syslog-ng/conf.d/local/config/filters/README.md'
'/etc/syslog-ng/local_config/filters/example.conf' -> '/etc/syslog-ng/conf.d/local/config/filters/example.conf'
'/etc/syslog-ng/local_config/log_paths/README.md' -> '/etc/syslog-ng/conf.d/local/config/log_paths/README.md'
'/etc/syslog-ng/local_config/log_paths/lp-example.conf.tmpl' -> '/etc/syslog-ng/conf.d/local/config/log_paths/lp-example.conf.tmpl'
'/etc/syslog-ng/local_config/sources/README.md' -> '/etc/syslog-ng/conf.d/local/config/sources/README.md'

SC4S_ENV_CHECK_HEC: Splunk HEC connection test successful; checking indexes...

SC4S_ENV_CHECK_INDEX: Checking email {"text":"Success","code":0}
SC4S_ENV_CHECK_INDEX: Checking epav {"text":"Success","code":0}
SC4S_ENV_CHECK_INDEX: Checking epintel {"text":"Success","code":0}
SC4S_ENV_CHECK_INDEX: Checking epintelexit {"text":"Success","code":0}
SC4S_ENV_CHECK_INDEX: Checking fireeye {"text":"Success","code":0}
SC4S_ENV_CHECK_INDEX: Checking infraops {"text":"Success","code":0}
SC4S_ENV_CHECK_INDEX: Checking main {"text":"Success","code":0}
SC4S_ENV_CHECK_INDEX: Checking netauth {"text":"Success","code":0}
SC4S_ENV_CHECK_INDEX: Checking netdlp {"text":"Success","code":0}
SC4S_ENV_CHECK_INDEX: Checking netdns {"text":"Success","code":0}
SC4S_ENV_CHECK_INDEX: Checking netfw {"text":"Success","code":0}
SC4S_ENV_CHECK_INDEX: Checking netids {"text":"Success","code":0}
SC4S_ENV_CHECK_INDEX: Checking netipam {"text":"Success","code":0}
SC4S_ENV_CHECK_INDEX: Checking netops {"text":"Success","code":0}
SC4S_ENV_CHECK_INDEX: Checking netproxy {"text":"Success","code":0}
SC4S_ENV_CHECK_INDEX: Checking netwaf {"text":"Success","code":0}
SC4S_ENV_CHECK_INDEX: Checking osnix {"text":"Success","code":0}
SC4S_ENV_CHECK_INDEX: Checking oswin {"text":"Success","code":0}
SC4S_ENV_CHECK_INDEX: Checking oswinsec {"text":"Success","code":0}
syslog-ng checking config
sc4s version=v1.47.3
starting goss
starting syslog-ng

syslog events not sent to Splunk

troubleshooting

Index This | Why did the turkey cross the road?

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Feel the Splunk Love: Real Stories from Real Customers

Are you a member of the Splunk Community?

syslog events not sent to Splunk

troubleshooting

Index This | Why did the turkey cross the road?

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Feel the Splunk Love: Real Stories from Real Customers