Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to make universal forwarder to receive syslogs and forward to Splunk cloud?

brat_1990
Engager
‎11-29-2023 04:10 AM

We have a situation where the application sends the logs in syslog format. But we don't have a Syslog server to receive it.

Instead, can we make the UF (installed in the same app server) receive those syslog events and forward them to Splunk Cloud?

Note: We don't have the physical location of the logs in the app server to monitor using UF

Labels (4)
Tags (1)
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎11-29-2023 05:45 AM

Hi @brat_1990 ,

if you have a Linux server, you could configure an rsyslog server that writes syslogs in files that you cn read using the UF.

Otherwise you could install the SC4S app (that's a syslog-ng server).

Last choise to use an Heavy Forwarder.

My hint is to use a rsyslog server ( I usually do this).

Ciao.

Giuseppe

Reply

brat_1990
Engager
‎11-29-2023 07:00 AM

Hi @gcusello,

Appreciate your response and support.

Since we are using a Windows server for the application I might want to know more about this aspect, please.

The below link suggests using UF to monitor TCP/UDP. Please share your take on the same

Both Splunk Enterprise and the universal forwarder support monitoring over UDP

Also, I would like to know if the SC4S app can be installed directly on the Windows server or if it needs any *nix environment to work.

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎11-29-2023 01:47 PM

You can use UF (or HF) for directly monitoring network input (tcp or udp port). Be aware however of shotcomings of such solution.

1. You can only define one sourcetype for a given input so if you want to listen for data from several different sources yoh have to either create multiple inputs or do some complicated index-time rewriting and rerouting. Not easy to maintain.

2. There used to be some performance problems compared to a specialized syslog daemon

3. You lose network-level metadata.

So if you can live witn that, you can define a tcp or udp input and live with that. But it's not a recommended solution.

0 Karma
Reply

brat_1990
Engager
‎11-29-2023 08:09 PM

Hello @PickleRick ,

Thank you for the detailed information.

I have gone through the shortcomings and I guess I'll work through that. However, could you please guide me on the inputs.conf and outputs.conf for cloud.

Is there a way to validate if the UF is receiving logs? 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎11-29-2023 07:27 AM

hi @brat_1990 ,

rsyslog and SC4S require alinux UF.

in documentation is described (I never tried) that it's possible to enable syslog receiving also on a Windows Universal Forwarder (surely it's possible on an Heavy Forwarder), obviously manually inserting inputs in inputs.conf file.

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...