Getting Data In
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: Is it possible to manage syslog-ng.conf using ...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is it possible to manage syslog-ng.conf using a deployment server?
cburgman
Path Finder
09-14-2016
07:57 AM
I am currently managing 4 syslog servers using syslog-ng. I am trying to figure out the best way to manage the syslog-ng.conf file to prevent myself from having to make the same changes in 4 different locations.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
rpquinlan
Path Finder
04-11-2018
11:34 AM
I was thinking about this today.. I wonder if this would work using the deployment server?
- On the deployment server, /etc/deployment-apps, create a folder syslogng_config with subfolders metadata and local, just like you would for a real Splunk app.
- Add another subfolder called "config" or something that Splunk doesn't use. Inside it, add your syslog-ng config file variables in a file, and reference the path in the 'real' syslog-ng.conf file. Ref: https://syslog-ng.com/documents/html/syslog-ng-ose-3.14-guides/en/syslog-ng-ose-guide-admin/html/inc...
- On your deployment server "Forwarder management", add your new app as normal.
As long as the file/folder permissions are good between Splunk and Syslog-NG, I would think this will work..
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
rpquinlan
Path Finder
04-11-2018
01:13 PM
It worked!!
At the very top of the syslog-ng.conf file, I added a statement:
@include "/opt/splunkforwarder/etc/apps/syslogng_config/*.conf"
Likely because I'm editing the file in Windows and deploying to linux, there were some syntax errors with missing spaces - identified with the command
syslog-ng --syntax-only
The output from that shows that there was a syntax error, but also where it pulled it from (my deployment server path)
After that, reloading the syslog-ng config made the new, managed config go live.
Hope this helps!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
czanik
Engager
09-14-2016
08:44 AM
For example using puppet. There are many modules, this one was published by a former syslog-ng upstream developer and manages tens of thousands of machines: https://forge.puppet.com/ihrwein/syslog_ng
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
cburgman
Path Finder
10-05-2016
01:32 PM
Thanks for the info. Was hoping there was a way to do it painlessly with the deployment server. I will look into either puppet or ansible.
Get Updates on the Splunk Community!
See your relevant APM services, dashboards, and alerts in one place with the updated ...
As a Splunk Observability user, you have a lot of data you have to manage, prioritize, and troubleshoot on a ...
Index This | What goes away as soon as you talk about it?
May 2025 Edition
Hayyy Splunk Education Enthusiasts and the Eternally Curious!
We’re back with this month’s ...
What's New in Splunk Observability Cloud and Splunk AppDynamics - May 2025
This month, we’re delivering several new innovations in Splunk Observability Cloud and Splunk AppDynamics ...
