I am new to Splunk. I have installed Splunk ES 6.2.3 as an Indexer on a Windows 2008 R2 server. As an initial test, I installed the application and Forwarder App on another Windows 2008 server (which happens to be a Domain Controller). This seems to work fine as I am able to run searches and reports on the events from the remote server. So far so good ...
We have previously deployed Kiwi Syslog Server ver. 9.4.2. This is already collecting events and alerts from all of our network devices and servers. Ideally, I would like to send the data from Kiwi Syslog into Splunk (rather than have every single device forward log information to the Splunk Indexer directly). Now, I installed the Splunk ES on the same Windows 2008 server that is running Kiwi Syslog. Now, if Kiwi Syslog had been on a different server, I guess I would simply set up a Forwarder there. But how do I get the syslog information into Splunk if it resides on the same server? This may seem like a strange question, but remember I'm a newbie 🙂
Any advice or suggestions would be appreciated.
Is it possible to config the Kiwi syslog to send syslog events to the same IP of the server and port 515 (or other?)
It should do the trick.
Best practice: Create a directory to contain the syslog data. Have the Kiwi syslog write to that directory, rotating files regularly. In Splunk, set up a monitor input that tracks the directory. (FYI, it is a local input.) Choose "continuously monitor" rather than "index once."
Finally, are you really using Splunk Enterprise Security - also known as ES? If so, there are a lot more things you need to consider besides just getting the data into Splunk. How are you going to integrate the new data into the security dashboards and alerts that are part of ES?
Caveat: I am a Splunk instructor. But I still think that you should attend the Splunk training on administration and ES if you want to have an easier/better time setting up new inputs, etc.!
Thanks for your reply. I look into setting that up on the Kiwi Syslog side. Yes, I am testing with the free version of Splunk ES, and agree that there is plenty of complexity to get my arms around. One step at a time ... thanks again.
"ES" in Splunk is usually taken to mean the Splunk Enterprise Security app - which is not free!
If you are just running the free version, that is "Splunk Enterprise Trial Version"
So the "ES" was confusing me.!
I am trying to do the same thing from Kiwi to Splunk but struggling to setup the host value in Splunk.
I monitor the file in Splunk that Kiwi Syslog server is generating but Splunk is not understanding the hostname.
Is there a way?
Here is one thought. Can you install a Universal Forwarder on KIWI? If you set up an Input with stanzas for each sourcetype then you can output it to your indexes as needed.
Input: Example only
sourcetype = cisco
index = web
host = ciscorouter1
Output: Example only. these ips are both Indexer IPs
server = 10.0.10.2:9997,10.0.10.3:9997