Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why is linux collector server not reporting syslog to splunk instance?

dminguez
Loves-to-Learn
‎03-04-2022 05:53 AM

Hi,

We are trying to send syslogs from 3 different enpoints from different suppliers to an ubuntu 20.04 server.

I'm recieving this syslogs over UDP 514 port and trying to send them over the TCP port 9997 to the splunk instance, in order to be processed. I have installed the universal splunk forwarder targeting the host:port that I needed in the collector VM, although I'm not receiving any traffic from the firewalls and I get some logs from the collector VM with missing chunks of information.

I have checked that all communications and ports are up and responding, and the output.conf file has the right settings but, port 9997 is unavailable from the splunk web panel when I try to add it as data input in settings.

Does anyone know if I am missing anything here?

Do I need to use syslog-ng to successfully send syslogs to the splunk instance from a Linux VM?

Thanks for your help!

Regards.

Labels (1)
Labels
Tags (2)
0 Karma
Reply

venky1544
Builder
‎03-04-2022 06:20 AM

Hi @dminguez 

if you install syslog-ng on the linux VM and redirect the logs to a file and redirect the splunk UF to read the syslog-ng data from the file on the VM and send the data to splunk would be a splunk recommended best practise . Basically when  you log to a local file, it provides a local buffer and you aren't blocked if the network goes down. 

and when you say "port 9997 is unavailable from the splunk web panel"  port 9997 needs to be configured forwarding and recieving option it would not be under data input 

please follow below option

setting >> forwarding and recieving >>configure recieving 

0 Karma
Reply

dminguez
Loves-to-Learn
‎03-10-2022 08:33 AM

Thanks for the answer I configured the port under the "forwarding and recieving" option as you said and went through this documentation (https://www.splunk.com/en_us/blog/tips-and-tricks/using-syslog-ng-with-splunk.html). I was able to get the configuration that I needed to put in /syslog-ng/conf.d, although it doesn't write the directories in the destinations that are given. I also checked if SELinux was interfering but it is disabled, do you know what the problem could be?.

Thanks for your help.

Regards.

0 Karma
Reply

venky1544
Builder
‎03-11-2022 03:13 AM

Hi @dminguez 

so when you say "it doesn't write the directories in the destinations that are given" 

1) so you meant syslog is not writing the data to the directories or splunk UF is not reading the directory you need to share your syslog conf details 

2) is your VM(ubuntu)  receiving the data from the three different endpoints  how are you validating that ?? 

 

Thanks

 

 

 

0 Karma
Reply

dminguez
Loves-to-Learn
‎03-15-2022 08:11 AM

I meant that syslog wasn't writing the directories detailed in the config file but, I've managed to get all logs coming from the firewalls through 514 UDP, in a txt file.

I am monitoring that file using SplunkUF and I can see it in the splunk web panel although, I'm trying to use the script posted in the community in order to separate the logs into different files or folders and it isn't working.

Is there any update of the script available? if so, could anyone share it in this post?.

I'm going to share here the script that I've been using.

Thanks.

@version:3.2

# syslog-ng configuration file.
#
#
options {
chain_hostnames(no);
create_dirs (yes);
dir_perm(0755);
dns_cache(yes);
keep_hostname(yes);
log_fifo_size(2048);
log_msg_size(8192);
perm(0644);
time_reopen (10);
use_dns(yes);
use_fqdn(yes);
};

source s_network {
udp(port(514));
};

#Destinations
destination d_cisco_asa { file(“/home/syslog/logs/cisco/asa/$HOST/$YEAR-$MONTH-$DAY-cisco-asa.log” create_dirs(yes)); };
destination d_palo_alto { file(“/home/syslog/logs/paloalto/$HOST/$YEAR-$MONTH-$DAY-palo.log” create_dirs(yes)); };
destination d_all { file(“/home/syslog/logs/catch_all/$HOST/$YEAR-$MONTH-$DAY-catch_all.log” create_dirs(yes)); };

# Filters
filter f_cisco_asa { match(“%ASA” value(“PROGRAM”)) or match(“%ASA” value(“MESSAGE”)); };
filter f_palo_alto { match(“009401000570” value(“PROGRAM”)) or match(“009401000570” value(“MESSAGE”)); };
filter f_all { not (
filter(f_cisco_asa) or
filter(f_palo_alto)
);
};
# Log
log { source(s_network); filter(f_cisco_asa); destination(d_cisco_asa); };
log { source(s_network); filter(f_palo_alto); destination(d_palo_alto); };
log { source(s_network); filter(f_all); destination(d_all); };

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...