Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Is it possible to manage syslog-ng.conf using a deployment server?

cburgman
Path Finder
‎09-14-2016 07:57 AM

I am currently managing 4 syslog servers using syslog-ng. I am trying to figure out the best way to manage the syslog-ng.conf file to prevent myself from having to make the same changes in 4 different locations.

Reply

rpquinlan
Path Finder
‎04-11-2018 11:34 AM

I was thinking about this today.. I wonder if this would work using the deployment server?

  1. On the deployment server, /etc/deployment-apps, create a folder syslogng_config with subfolders metadata and local, just like you would for a real Splunk app.
  2. Add another subfolder called "config" or something that Splunk doesn't use. Inside it, add your syslog-ng config file variables in a file, and reference the path in the 'real' syslog-ng.conf file. Ref: https://syslog-ng.com/documents/html/syslog-ng-ose-3.14-guides/en/syslog-ng-ose-guide-admin/html/inc...
  3. On your deployment server "Forwarder management", add your new app as normal.

As long as the file/folder permissions are good between Splunk and Syslog-NG, I would think this will work..

0 Karma
Reply

rpquinlan
Path Finder
‎04-11-2018 01:13 PM

It worked!!

At the very top of the syslog-ng.conf file, I added a statement:

@include "/opt/splunkforwarder/etc/apps/syslogng_config/*.conf"

Likely because I'm editing the file in Windows and deploying to linux, there were some syntax errors with missing spaces - identified with the command

syslog-ng --syntax-only
The output from that shows that there was a syntax error, but also where it pulled it from (my deployment server path)

After that, reloading the syslog-ng config made the new, managed config go live.

Hope this helps!

0 Karma
Reply

czanik
Engager
‎09-14-2016 08:44 AM

For example using puppet. There are many modules, this one was published by a former syslog-ng upstream developer and manages tens of thousands of machines: https://forge.puppet.com/ihrwein/syslog_ng

Reply

cburgman
Path Finder
‎10-05-2016 01:32 PM

Thanks for the info. Was hoping there was a way to do it painlessly with the deployment server. I will look into either puppet or ansible.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...