Getting Data In

How to send syslog-ng messages to Splunk properly?

Explorer

How to send syslog-ng messages to Splunk properly? I'm using Free 'splunk-4.1.4-82143-linux-2.6-intel.deb' and 'syslog-ng 2.0.9-4.1' on Debian Lenny. Both are installed on the same machine, one host, small server. I want Splunk to read from syslog-ng.

I have read so many articles on how to send syslog-ng to Splunk and still feel lost and very frustrated as information is either outdated, contradicts another article, is for Windows, or is incomplete- one exmaple of many http://www.splunk.com/wiki/Deploy:CreateSyslogNGRules

So far the methods I think to do this are either:

  1. Create a pipe mkfifo from syslog-ng to splunk? - I read splunk doesn't recommend the usage of fifo

  2. Add the syslog log to Manager ->Data inputs->TCP/Add new/select source type: From list/select source type from list: syslog/ Index select main (there isn't 'default' on the list), done? I don't need to add anything to syslog-ng?

  3. Add the syslog log to Manager ->Data inputs->File & directories->Add new -> /var/log/syslog Index select main, add /var/log/*.log , done?

  4. Forwarder ? (wouldn't this be only for sending to another machine) and TCP forwarding only works in Enterprise edition? Manager->Fowarding and receiving->Receive data->Add new, enter 514 and be done with it? I don't need to add anything to syslog-ng or /opt/splunk/etc/system/local/inputs.conf?

Please if you could tell me the best and correct method for my setup.

Thank you, Katey

Tags (1)

Explorer

Thank you stephanbuys. I feel more confident knowing others use this same method then. I have added these logs, no regex, segment 4, main index, auto detect type all except syslog I added under file list as syslog (didn't know if the others should be under syslog as well): /var/log/auth.log /var/log/cron.log /var/log/daemon.log /var/log/debug /var/log/kern.log /var/log/mail.err /var/log/mail.log /var/log/messages /var/log/syslog /var/log/user.log /var/log/uucp.log

Since those are the ones syslog-ng writes.

Thank you again :))

0 Karma

Path Finder

Katey, in one of my environments I have a similar setup and I would recommend that you go with proposal 3. (Add the syslog log to Manager ->Data inputs->File & directories->Add new -> /var/log/syslog).

You dont have to configure the whitelist regex.

The advantage of this approach is that Splunk will automatically monitor /var/log/syslog and in the event of Splunk ever stopping (for example because of a reboot) it will be able to continue where it left off, it automatically keeps track of it's progress when in this mode.

Adding a forwarder is just adding complexity and overhead.

Explorer

Thank you ftk very much for your reply. I think this shouldn't be as hard as I've made it. I want syslog-ng to send to Splunk also - presently syslog-ng sends to logs it writes to & sends to MySQL for LogZilla. I use LogZilla and it was as easy as just installing it - LogZilla added its own entries to syslog-ng.conf.

I understand the adding the files (solution 3) but I have it in my mind somehow I'm suppose to have syslog-ng feed directly to Splunk as I was doing with the fifo (not add log by log (clone)) . So I thought then I must send syslog-ng directly to Splunk via TCP port and it will sort out what goes where (instead of reading all the logs in /var/log) :/. Does that make sense? 😄

You replied:

"Point your managed hosts to send syslog to the syslog-ng" <-I'm not using syslog I believe, I'm using only syslog-ng and syslog-ng is working.

"configuring syslog-ng to create a log file per host" <- I have only one host/server/IP- just the box it is installed on, so I don't believe I need to do this?

"And then when configuring your monitor, set the host to be dynamically defined based on a segment in the path (in this case segment 4)" <-Tho I have only one host/IP I should still do this?: Set host: segment in path, Segment #: 4

Thank you again ftk 🙂

0 Karma

Motivator

Katey, solution 3 you posted sounds best.

Basically you would want to set up syslog-ng on your splunk server and index the log files it generates. Point your managed hosts to send syslog to the syslog-ng instance on your splunk server and you're done.

I recommend configuring syslog-ng to create a log file per host, preferably in a directory structure that identifies the host:

/var/log/syslog-ng/hostA/logfile.log
/var/log/syslog-ng/hostB/logfile.log
/var/log/syslog-ng/hostC/logfile.log

And then when configuring your monitor, set the host to be dynamically defined based on a segment in the path (in this case segment 4). Check out http://www.splunk.com/base/Documentation/latest/Admin/Setadefaulthostforaninput#Dynamically_setting_... for more info.

Hope this will get you down the right track.

State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!