Getting Data In

How do I send data from Kiwi syslog to a Splunk indexer on the same server?

tladd1212
New Member

I am new to Splunk. I have installed Splunk ES 6.2.3 as an Indexer on a Windows 2008 R2 server. As an initial test, I installed the application and Forwarder App on another Windows 2008 server (which happens to be a Domain Controller). This seems to work fine as I am able to run searches and reports on the events from the remote server. So far so good ...

We have previously deployed Kiwi Syslog Server ver. 9.4.2. This is already collecting events and alerts from all of our network devices and servers. Ideally, I would like to send the data from Kiwi Syslog into Splunk (rather than have every single device forward log information to the Splunk Indexer directly). Now, I installed the Splunk ES on the same Windows 2008 server that is running Kiwi Syslog. Now, if Kiwi Syslog had been on a different server, I guess I would simply set up a Forwarder there. But how do I get the syslog information into Splunk if it resides on the same server? This may seem like a strange question, but remember I'm a newbie 🙂

Any advice or suggestions would be appreciated.

Thanks,
Tom

Tags (3)
0 Karma

dougsearcy
Splunk Employee
Splunk Employee

Here is one thought. Can you install a Universal Forwarder on KIWI? If you set up an Input with stanzas for each sourcetype then you can output it to your indexes as needed.

Input: Example only
[monitor:///opt/log/cisco_router1/cisco_ironport_web.log]
sourcetype = cisco
index = web
host = cisco_router1

Output: Example only. these ips are both Indexer IPs
[tcpout:primary_indexers]
server = 10.0.10.2:9997,10.0.10.3:9997

0 Karma

lguinn2
Legend

Best practice: Create a directory to contain the syslog data. Have the Kiwi syslog write to that directory, rotating files regularly. In Splunk, set up a monitor input that tracks the directory. (FYI, it is a local input.) Choose "continuously monitor" rather than "index once."

Finally, are you really using Splunk Enterprise Security - also known as ES? If so, there are a lot more things you need to consider besides just getting the data into Splunk. How are you going to integrate the new data into the security dashboards and alerts that are part of ES?

Caveat: I am a Splunk instructor. But I still think that you should attend the Splunk training on administration and ES if you want to have an easier/better time setting up new inputs, etc.!

foysol_bgd
New Member

I am trying to do the same thing from Kiwi to Splunk but struggling to setup the host value in Splunk.
I monitor the file in Splunk that Kiwi Syslog server is generating but Splunk is not understanding the hostname.

Is there a way?

0 Karma

tladd1212
New Member

Thanks for your reply. I look into setting that up on the Kiwi Syslog side. Yes, I am testing with the free version of Splunk ES, and agree that there is plenty of complexity to get my arms around. One step at a time ... thanks again.

Tom

0 Karma

lguinn2
Legend

"ES" in Splunk is usually taken to mean the Splunk Enterprise Security app - which is not free!

Splunk ES

If you are just running the free version, that is "Splunk Enterprise Trial Version"

So the "ES" was confusing me.!

tladd1212
New Member

You're not the only one is confused, but that does clarify it for me - thanks.

0 Karma

gfreitas
Builder

Tom,

Is it possible to config the Kiwi syslog to send syslog events to the same IP of the server and port 515 (or other?)

It should do the trick.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...