Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How do I forward all rsyslog output from an ubuntu server to my Splunk 4.1 server?

rogerssoftware
Explorer
‎04-06-2010 09:35 PM

On my old setup I had all syslogs going to syslog on the Splunk server, but now I'm doing a fresh setup with Ubuntu 9.10 servers with Splunk v4.1 and rsyslog v4.

I searched and found that I should can a receiving port, 2010, in "Manager » Forwarding and receiving » Receive data", and also added the following line in /etc/rsyslog.conf on the sending server and restarted rsyslog:

*.* @@192.168.10.7:2010;SyslFormat

Splunk never receives anything from the remote server with this setup. Is there something I'm missing here?

TIA, Cotton

Also, it won't let me add 'rsyslog' or 'receiving' tags...

    * new users can't create tags; 'rsyslog forwarding' are new tags
Tags (1)
Reply

Dan
Splunk Employee
Splunk Employee
‎04-07-2010 03:08 AM

This should probably be posted as a separate question.

I recommend using a forwarder for multiple reasons - chiefly for reliability. See this answer: http://answers.splunk.com/questions/1114/what-happens-to-my-events-at-splunk-light-forwarder-when-th....

Also, you can still use the Splunk LWF. The following is what you are losing, none of which - with the exception of fschange - will interfere with the unix app: http://www.splunk.com/base/Documentation/latest/Admin/Moreaboutforwarders

0 Karma
Reply

rogerssoftware
Explorer
‎04-06-2010 11:43 PM

It was the "SyslFormat" part at the end of that rsyslog.conf file, it should have been:

*.* @@192.168.10.7:2010;
Reply

Dan
Splunk Employee
Splunk Employee
‎04-06-2010 10:38 PM

Forwarding and receiving is intended for receiving from another Splunk instance (usually a Splunk forwarder). You want to go to Manager » Data Inputs and open a udp port, or tcp if that's an option for rsyslog.

Reply

rogerssoftware
Explorer
‎04-06-2010 11:07 PM

I have tried that also, restarting splunk of course, with no results.

Any other ideas?

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...