Getting Data In

Does rsyslog work well with Splunk

dcroteau
Splunk Employee
Splunk Employee

Does both Enterprise (supported) and free rsyslog support wildcarding?

Does rsyslog work well with Splunk?

Is Rsyslog supported on PowerPC running LINUX?

Tags (1)
0 Karma

dcroteau
Splunk Employee
Splunk Employee

First, let me say that there is no "enterprise" version of rsyslog, at least for the time being. There is just one very capable version, but you can purchase support with it (what, of course, I appreciate ;)).

I don't see any reason why rsyslog should not run on PowerPC. Did you try a compile and it failed? If so, please let me know what happened. I do not have a PowerPC environment to test myself.

0 Karma

christopher_hod
Path Finder

We use rsyslog. All networking equipment send it's logs to a central syslog server(*) that then uses this rule:

$template DynaFile,"/var/log/syslog/system-%FROMHOST%.log",500000

We then grab them with an inputs.conf that looks like this:

[monitor:///var/log/syslog]
index = syslog
sourcetype = syslog
host_regex = /var/log/syslog/system-(.*).log*

(*) It's actually a VIP that goes to a load balancer, but that's not really important to this discussion.

eric_budke
Path Finder

And your FROMHOST doesn't get replaced with the VIP IP/hostname?

0 Karma

christopher_hod
Path Finder

I'm not sure what you mean by wildcarding in this context.

But this is a splunk message board and I can only comment on how splunk interacts with rsyslog.

As far as source goes, if you're using syslog, you're not going to get much more than source=syslog anyway.

If you want more specific sourcetypes, I can give you examples of that.

0 Karma

dcroteau
Splunk Employee
Splunk Employee

Thanks Mike, With our messages we'd lose the original source if we did it that way. Again, does either rsyslog support wildcarding.

0 Karma

dcroteau
Splunk Employee
Splunk Employee

That is rsyslog wildcarding

0 Karma

Brian_Osburn
Builder

I'd check the rsyslog web site with regards to what it supports or what it doesn't.

If it's a flavor of *syslog, then Splunk can consume it directly (not recommended in my opinion), or if it can write to a log and then have Splunk consume that log (little more failsafe).

Brian

dcroteau
Splunk Employee
Splunk Employee

I wish I could distinguish support for wildcarding on any website, that's why I wanted to run it by the community.

0 Karma
Get Updates on the Splunk Community!

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Splunk Education Goes to Washington | Splunk GovSummit 2024

If you’re in the Washington, D.C. area, this is your opportunity to take your career and Splunk skills to the ...