Getting Data In
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Is there an app that exists for syslog-ng?
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
patelmc
Explorer
03-12-2019
07:48 AM
We are using syslog-ng to collect syslog from various devices and we want to use this into splunk.
Is there any app exist which I can use to monitor syslog-ng?
here is the sample logfile /home/syslog/logfile.
Sep 23 21:09:28 10.10.10.11 sshd[18834]: fatal: Read from socket failed: Connect
ion reset by peer
Sep 23 21:09:29 10.10.10.10 routed[14561]: cpcl_cxl_runtime_status: HA mode not
started
Sep 23 21:10:00 last message repeated 124 times
Sep 23 21:11:01 last message repeated 244 times
Sep 23 21:12:02 last message repeated 244 times
How splunk will handle "last message repeated" lines?
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
nickhills
Ultra Champion
03-12-2019
08:31 AM
It will index it exactly as written:
'Sep 23 21:10:00 last message repeated 124 times'
You don't need an app for syslog-ng - it is nativly supported by Splunk, just be sure to set the sourcetype as 'syslog' when you configure it as an input.
See:
https://wiki.splunk.com/Community:Best_Practice_For_Configuring_Syslog_Input
https://www.splunk.com/blog/2016/03/11/using-syslog-ng-with-splunk.html
https://www.splunk.com/blog/2016/05/05/high-performance-syslogging-for-splunk-using-syslog-ng-part-1... (scenario 3)
And the wrong way to do it:
https://conf.splunk.com/files/2017/slides/worst-practicesand-how-to-fix-them.pdf
If my comment helps, please give it a thumbs up!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jayasatyaallapa
New Member
03-12-2019
08:36 AM
Good Morning,
You don't need any app to monitor syslog-ng... Go to data inputs in settings in splunk UI and enable the TCP and UDP port that can receive syslog messages.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
nickhills
Ultra Champion
03-12-2019
09:00 AM
Don't do this!
If you already are collecting logs in syslog-ng collect the logs by reading them from file with a universal/heavy forwarder.
Do not forward events from syslog to syslog over a UDP/TCP port, that is the worst of all worlds.
You should always collect from the syslog file if it exists.
See: https://conf.splunk.com/files/2017/slides/worst-practicesand-how-to-fix-them.pdf
If my comment helps, please give it a thumbs up!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jayasatyaallapa
New Member
03-12-2019
08:44 AM
Make sure check for the ports in data inputs for both TCP and UDP using which port you are trying to receive data.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
nickhills
Ultra Champion
03-12-2019
08:31 AM
It will index it exactly as written:
'Sep 23 21:10:00 last message repeated 124 times'
You don't need an app for syslog-ng - it is nativly supported by Splunk, just be sure to set the sourcetype as 'syslog' when you configure it as an input.
See:
https://wiki.splunk.com/Community:Best_Practice_For_Configuring_Syslog_Input
https://www.splunk.com/blog/2016/03/11/using-syslog-ng-with-splunk.html
https://www.splunk.com/blog/2016/05/05/high-performance-syslogging-for-splunk-using-syslog-ng-part-1... (scenario 3)
And the wrong way to do it:
https://conf.splunk.com/files/2017/slides/worst-practicesand-how-to-fix-them.pdf
If my comment helps, please give it a thumbs up!
Get Updates on the Splunk Community!
Dashboards: Hiding charts while search is being executed and other uses for tokens
There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...
Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...
This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...
Brains, Bytes, and Boston: Learn from the Best at .conf25
When you think of Boston, you might picture colonial charm, world-class universities, or even the crack of a ...
