We use the nxlog agent on out Windows domain controllers/Exchange servers/IIS servers and forward to a centralized rsyslog server.
Would it be possible to install the Splunk Forwarder on the centralized rsyslog server and filter the syslogs that would be forwarded from the centralized rsyslog server to our Splunk indexer to help filter out the unwanted events?
Yeah, provided you use a heavy forwarder instead of a universal forwarder.
Note, you can have your indexer(s) filter data regardless of where it came from.
Thx for the reply Martin
I assume for the rsyslog configuration, it's ok to log to a file, in which I would then configure the forwarded to forward the rsyslog log files to the Indexer, correct?
Yup, having stuff written to a log file and then read by a forwarder with a regular
monitor:// stanza is good practice.
Another one more question 🙂
Is it possible to set the forwarder to be a black list and exclude events/logs that I don't want to be indexed, or does it only function as a white list?
Yes,HF,filter using props & transform,send the ones you do not want to nullqueue. Again, like Martin mentioned below..
Thx for the reply and info.
At some point I hope they migrate the filtering function onto the Indexer so one can start by indexing everything at first, and then allow the user the ability to go in and start selecting events to be excluded. Not sure how this would effect scalability/performance of the indexer though if it was implemented as such.
That's there already, it's called "searching" 😛