Solved: Re: Can splunk read data from unix stream socket?

gots · ‎07-10-2018

Is it possible to get data in splunk from unix stream socket?
Not tcp\udp socket, but socket like this - https://en.wikipedia.org/wiki/Berkeley_sockets

For example syslog-ng have this feature.

brolo · ‎07-16-2018

Why not use syslog-ng as a go between?
See this link: httpss://www.splunk.com/blog/2016/03/11/using-syslog-ng-with-splunk.html

View solution in original post

woodcock · ‎07-18-2018

Splunk needs more tuning, upgrades and restarts than does syslog-ng so if you go directly to Splunk, without a buffer capability on the sending side, you will have far more data loss. You can update yslog-ng configurations with SIGHUP without a restart or data outage. You cannot do that with Splunk. Use syslog-ng.

woodcock · ‎07-17-2018

I concur with the consensus; see these excellent 2 posts:

http://www.georgestarcher.com/splunk-success-with-syslog/
https://gitlab.com/rationalcyber/syslog-ng-configuration/wikis/home

felipesewaybric · ‎07-17-2018

try with syslog, check the https://docs.splunk.com/Documentation/StreamApp/7.1.2/DeployStreamApp/ProtocolDetection

brolo · ‎07-16-2018

Why not use syslog-ng as a go between?
See this link: httpss://www.splunk.com/blog/2016/03/11/using-syslog-ng-with-splunk.html

vidhyaArumalla · ‎07-17-2018

I agree with @brolo

gots · ‎07-17-2018

I already done it with syslog-ng, but it seems that will be better do not create additional entities for simple task.

Python script also can help, but it is not ideal solution.

I had little hope that something miss in documentation.

Thank you all.

sjodle · ‎07-17-2018

I also agree. Alternatively, you could write a Bash or Python scripted input that reads the socket to stdout.

Can splunk read data from unix stream socket?

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!