Getting syslog data into splunk lightweight forwar...

ultra · ‎09-16-2010

Hi, I'm new to splunk, so my question might be lame. I am trying to setup a splunk lightweight forwarder, my problem is the following. If it is a lightweight forwarder, it cannot be a listener. How do I get data into lightweight forwarder in first place (I have syslog-ng running on the same box, and I want LWF to load balance the data across several indexers)?

gkanapathy · ‎09-17-2010

The best way to do this is to just have Splunk monitor the files/directories where syslog-ng is writing (and rotating) log files. The reason for this is that the files can provide a buffer for capturing data for when the forwarder can't receive data (e.g., if the network is down and the queue fills up, or the forwarder is restarted, or a temporarily high input data rate such that the indexer backs up, etc.). For this, then you don't need to enable the network inputs. You can just create a file monitor input using the CLI or configuration file.

You can re-enable UDP inputs on a LWF by creating a local default-mode.conf file containing the entry:

[pipeline:udp]
disabled =false

but I think that capturing the data with syslog, syslog-ng, or rsyslog is better because of the buffering it provides.

Getting syslog data into splunk lightweight forwarder

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?