Solved: Re: Can splunk read data from unix stream socket?

gots · ‎07-10-2018

Is it possible to get data in splunk from unix stream socket?
Not tcp\udp socket, but socket like this - https://en.wikipedia.org/wiki/Berkeley_sockets

For example syslog-ng have this feature.

brolo · ‎07-16-2018

Why not use syslog-ng as a go between?
See this link: httpss://www.splunk.com/blog/2016/03/11/using-syslog-ng-with-splunk.html

View solution in original post

woodcock · ‎07-18-2018

Splunk needs more tuning, upgrades and restarts than does syslog-ng so if you go directly to Splunk, without a buffer capability on the sending side, you will have far more data loss. You can update yslog-ng configurations with SIGHUP without a restart or data outage. You cannot do that with Splunk. Use syslog-ng.

woodcock · ‎07-17-2018

I concur with the consensus; see these excellent 2 posts:

http://www.georgestarcher.com/splunk-success-with-syslog/
https://gitlab.com/rationalcyber/syslog-ng-configuration/wikis/home

felipesewaybric · ‎07-17-2018

try with syslog, check the https://docs.splunk.com/Documentation/StreamApp/7.1.2/DeployStreamApp/ProtocolDetection

brolo · ‎07-16-2018

Why not use syslog-ng as a go between?
See this link: httpss://www.splunk.com/blog/2016/03/11/using-syslog-ng-with-splunk.html

vidhyaArumalla · ‎07-17-2018

I agree with @brolo

gots · ‎07-17-2018

I already done it with syslog-ng, but it seems that will be better do not create additional entities for simple task.

Python script also can help, but it is not ideal solution.

I had little hope that something miss in documentation.

Thank you all.

sjodle · ‎07-17-2018

I also agree. Alternatively, you could write a Bash or Python scripted input that reads the socket to stdout.

Can splunk read data from unix stream socket?

Preparing your Splunk Environment for OpenSSL3

Unleash Unified Security and Observability with Splunk Cloud Platform

Splunk AppDynamics with Cisco Secure Application