Getting Data In

How to find out if the host is forwarding logs by syslog or UF?

MayurMangoli
Loves-to-Learn Everything

We have multiple devices forwarding the logs to Splunk which syslog mechanism and UF, as it's difficult to identify the forward mechanism used for those devices. is there any way to identify the syslog forwarding mechanism on port 514 ?

Labels (1)
0 Karma

MayurMangoli
Loves-to-Learn Everything

The logs are forwarded by host is with the 2 mechanism one with syslog configuration at host end using port 514 and the  other is with installing the UF on host to forward the logs on port 9997, is there any way to find that host details forwarding by these 2 mechanism.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @MayurMangoli,

a I said, you can use the source field to identify if the source is an udp ot tcp syslog e.g. on port 512 or a file from a Universal Forwarder.

It's more difficoult if you're using a rsyslog or a syslog-ng server to take syslogs because they write syslogs in a file so you cannot distinghuish them.

My hint is to always have a perimeter (e.g. in a lookup or in an external Excel File) containing the monitoring perimeter in which are listed all the host under monitoring and also with the way to ingest logs (e.g. syslog or UF, protocol, port, etc...).

All my projects start with the perimeter definition and analysis, that you can also use to check the data flow status.

Ciao.

Giuseppe

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @MayurMangoli,

what do you mean with "syslog mechanism"?

the port and protocol are defined in the source of your events.

The way to ingest syslogs is defined by your architecture.

The forwarders isn't still defined, but I required this feature in Splunk ideas (https://ideas.splunk.com/ideas/EID-I-1731) and it's "under consideration" if you think that's useful, please upvote it.

Ciao.

Giuseppe

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...