Getting Data In
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Is it possible to manage syslog-ng.conf using a de...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is it possible to manage syslog-ng.conf using a deployment server?
cburgman
Path Finder
09-14-2016
07:57 AM
I am currently managing 4 syslog servers using syslog-ng. I am trying to figure out the best way to manage the syslog-ng.conf file to prevent myself from having to make the same changes in 4 different locations.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
rpquinlan
Path Finder
04-11-2018
11:34 AM
I was thinking about this today.. I wonder if this would work using the deployment server?
- On the deployment server, /etc/deployment-apps, create a folder syslogng_config with subfolders metadata and local, just like you would for a real Splunk app.
- Add another subfolder called "config" or something that Splunk doesn't use. Inside it, add your syslog-ng config file variables in a file, and reference the path in the 'real' syslog-ng.conf file. Ref: https://syslog-ng.com/documents/html/syslog-ng-ose-3.14-guides/en/syslog-ng-ose-guide-admin/html/inc...
- On your deployment server "Forwarder management", add your new app as normal.
As long as the file/folder permissions are good between Splunk and Syslog-NG, I would think this will work..
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
rpquinlan
Path Finder
04-11-2018
01:13 PM
It worked!!
At the very top of the syslog-ng.conf file, I added a statement:
@include "/opt/splunkforwarder/etc/apps/syslogng_config/*.conf"
Likely because I'm editing the file in Windows and deploying to linux, there were some syntax errors with missing spaces - identified with the command
syslog-ng --syntax-only
The output from that shows that there was a syntax error, but also where it pulled it from (my deployment server path)
After that, reloading the syslog-ng config made the new, managed config go live.
Hope this helps!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
czanik
Engager
09-14-2016
08:44 AM
For example using puppet. There are many modules, this one was published by a former syslog-ng upstream developer and manages tens of thousands of machines: https://forge.puppet.com/ihrwein/syslog_ng
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
cburgman
Path Finder
10-05-2016
01:32 PM
Thanks for the info. Was hoping there was a way to do it painlessly with the deployment server. I will look into either puppet or ansible.
Get Updates on the Splunk Community!
Demo Day: Strengthen Your SOC with Splunk Enterprise Security 8.1
Today’s threat landscape is more complex than ever. Security operation centers (SOCs) are overwhelmed with ...
Dashboards: Hiding charts while search is being executed and other uses for tokens
There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...
Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...
This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...
