On my old setup I had all syslogs going to syslog on the Splunk server, but now I'm doing a fresh setup with Ubuntu 9.10 servers with Splunk v4.1 and rsyslog v4.
I searched and found that I should can a receiving port, 2010, in "Manager » Forwarding and receiving » Receive data", and also added the following line in /etc/rsyslog.conf on the sending server and restarted rsyslog:
Splunk never receives anything from the remote server with this setup. Is there something I'm missing here?
Also, it won't let me add 'rsyslog' or 'receiving' tags...
* new users can't create tags; 'rsyslog forwarding' are new tags
Forwarding and receiving is intended for receiving from another Splunk instance (usually a Splunk forwarder). You want to go to Manager » Data Inputs and open a udp port, or tcp if that's an option for rsyslog.