Setting on QNAP is just 4 below.
1 enable syslog
2 configure destination (splunk) server IP address
3 UDP port: 514
4 Log type: system event log
Then, how can I set up on splunk server?
Receive syslog by UDP port: 514? But I cannot receive syslog.
Source type made mistakes?
Is there original source type for QNAP?
It would be helpful to specify what QNAP is. Some quick googling suggests it is a cloud storage service. If this is the case then the first question would be: Are you certain udp packets from the cloud service will reach your splunk system? It's commonplace to not allow such traffic into corporate networks from the outside.
If you need to learn how to use splunk search, refer to the Splunk documentation on searching. A very broad search for all indexes over all time for some keyword you know to be present should quickly determine whether the data is arriving at all. At this point I would suggest engaging network expertise to determine whether the packets are reaching the splunk-installed system, and if so, to validate that the firewall on that system is allowing them in.
You go to "Settings > Data Inputs " , there you find UDP under 'local inputs', "choose UDP > New" .
In the next sections; fill in port; 514 , you can skip the source-name and bind to options.
In the next section, choose an source type, like qnap-syslog or something descriptive ... and choose your index ; qnap (if you have created such an index)
If you run Splunk on linux, your OS-user might now have the permission to open up a port under 1024.
Still confused ? The docs are quit good nowadays and will bring you clarity ;
Thank you for your answer.
I don't know how to search source type for QNAP and want to know detailed source type.
Anyway I have challenged 'qnap-syslog' or 'qnap_syslog', but we can't receive syslog for QNAP.
Somebody, please let us know if you know procedure or tried as this experience for QNAP.
No there is no "default / standard" source type for Qnap (maybe the "regular" syslog?)
Well the source type in this case can be whatever you want it to be, as well as for the index. The important thing is that you have a clear communications path between your devices. If your qnap is hosted of site, you might need to open a couple of ports in the firewall for it to be able to send data to splunk.
In short terms, create an index in splunk (qnap) , create an new udp input (port:10514) assign this new input a source type ('qnap-syslog') and also assign this input an index (qnap) .
Now configure your Qnap to send its syslog to splunk:10514 .
In Splunk search issue; index=qnap .
Make sure your index is in searchable by your user.
Make sure there is no firewalls in between.
The docs WILL help you. (take your time to read them)
I don't know much about QNAP, but this previous Answers post and blog might give you some ideas about receiving syslog data in Splunk: