Getting Data In

How do I forward all rsyslog output from an ubuntu server to my Splunk 4.1 server?

rogerssoftware
Explorer

On my old setup I had all syslogs going to syslog on the Splunk server, but now I'm doing a fresh setup with Ubuntu 9.10 servers with Splunk v4.1 and rsyslog v4.

I searched and found that I should can a receiving port, 2010, in "Manager » Forwarding and receiving » Receive data", and also added the following line in /etc/rsyslog.conf on the sending server and restarted rsyslog:

*.* @@192.168.10.7:2010;SyslFormat

Splunk never receives anything from the remote server with this setup. Is there something I'm missing here?

TIA, Cotton

Also, it won't let me add 'rsyslog' or 'receiving' tags...

    * new users can't create tags; 'rsyslog forwarding' are new tags
Tags (1)

Dan
Splunk Employee
Splunk Employee

This should probably be posted as a separate question.

I recommend using a forwarder for multiple reasons - chiefly for reliability. See this answer: http://answers.splunk.com/questions/1114/what-happens-to-my-events-at-splunk-light-forwarder-when-th....

Also, you can still use the Splunk LWF. The following is what you are losing, none of which - with the exception of fschange - will interfere with the unix app: http://www.splunk.com/base/Documentation/latest/Admin/Moreaboutforwarders

0 Karma

rogerssoftware
Explorer

It was the "SyslFormat" part at the end of that rsyslog.conf file, it should have been:

*.* @@192.168.10.7:2010;

Dan
Splunk Employee
Splunk Employee

Forwarding and receiving is intended for receiving from another Splunk instance (usually a Splunk forwarder). You want to go to Manager » Data Inputs and open a udp port, or tcp if that's an option for rsyslog.

rogerssoftware
Explorer

I have tried that also, restarting splunk of course, with no results.

Any other ideas?

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...