Getting Data In
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Issue Getting Data In to Splunk Cloud

qcjacobo2577
Path Finder
‎06-29-2021 04:59 PM

We are in the midst of standing up our Splunk Cloud environment. Our architecture and data flows are as follows:

Syslog-NG (w/ Splunk UF Installed) > On-Premise Splunk Heavy Forwarder > Splunk Cloud

I am trying to make sure all of my configurations are sound for getting data from my Syslog Server into Splunk Cloud --- and it would appear that some things are incorrect.  

Right now, my configurations are such:

===Syslog-NG Configuration===
@version: 3.25
@include "scl.conf"
options {
chain_hostnames(no);
create_dirs (yes);
dir_perm(0755);
dns_cache(yes);
keep_hostname(yes);
log_fifo_size(2048);
log_msg_size(8192);
perm(0644);
time_reopen (10);
use_dns(yes);
};

source s_paloalto { tcp(port(5141) flags(no-parse,store-raw-message)); };
source s_locallogs { system(); internal(); };

destination d_paloalto { file("/var/log/splunkcloud/paloalto/\$HOST/\$YEAR-\$MONTH-\$DAY-palo.log"); };
destination d_locallogs { file("/var/log/splunkcloud/systemlogs/\$HOST/\$YEAR-\$MONTH-\$DAY-system.log"); };

log { source(s_paloalto); destination(d_paloalto); };
log { source(s_locallogs);destination(d_locallogs); };

=======================

===Syslog-NG Splunk UF Inputs.Conf===


[monitor:///var/log/splunklogs/paloalto]
disabled = 0
index=network
sourcetype=paloalto

[monitor:///var/log/splunklogs/systemlogs]
disabled = 0
index=syslogs
sourcetype=syslogs

=======================

===Syslog-NG Splunk UF Outputs.Conf===


[tcpout]
defaultGroup = syslogs_group, paloalto_group

[tcpout:syslogs_group]
server=x.x.x.x:5140

[tcpout:paloalto_group]
server=x.x.x.x:5141

=======================

===Splunk HF Inputs.Conf===


[tcp://:5140]
index=syslogs
sourcetype=syslogs

[tcp://:5141]
index=network
sourcetype=paloalto

=======================

With that, all I am getting in to Splunk Cloud are the following (or similar):
--splunk-cooked-mode-v3--\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00s-drsyslog-1\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x008089\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00@\x00\x00\x00\x00\x00\x00__s2s_capabilities\x00\x00\x00\x00ack=0;compression=0\x00\x00\x00\x00\x00\x00\x00\x00_raw\x00

I did manually create an index on our HF named "syslogs", but while I can query the index, did not seem to make any difference with respect to the data itself.

Labels (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

codebuilder
Influencer
‎07-02-2021 01:05 PM

I notice that the Splunk logs you are monitoring are under /var/log/splunklogs/

By default, /var/log is owned by root so if you are running Splunk as a non-root user it won't have access to the splunklogs sub-directory or the log files within it.

----
An upvote would be appreciated and Accept Solution if it helps!

View solution in original post

Reply
Solved! Jump to solution

mahithclt
Engager
‎07-26-2021 08:44 AM

HI @qcjacobo2577 

Have you checked ? running this as root!
Please give your feedback so that it will be very helpful for the persons who are trying to learn splunk. Thank you

0 Karma
Reply
Solved! Jump to solution

qcjacobo2577
Path Finder
‎07-26-2021 10:17 AM

Indeed the files in question were permissioned to root.  Once I changed the permissions, everything worked as expected.  Thank you for your help!

Reply
Solved! Jump to solution

codebuilder
Influencer
‎07-26-2021 10:38 AM

Glad to help! If this resolved your issue please mark it as the Solution as it will help others who come along later 🙂

----
An upvote would be appreciated and Accept Solution if it helps!
Reply
Solved! Jump to solution
Solution

codebuilder
Influencer
‎07-02-2021 01:05 PM

I notice that the Splunk logs you are monitoring are under /var/log/splunklogs/

By default, /var/log is owned by root so if you are running Splunk as a non-root user it won't have access to the splunklogs sub-directory or the log files within it.

----
An upvote would be appreciated and Accept Solution if it helps!
Reply
Get Updates on the Splunk Community!

Fueling your curiosity with new Splunk ILT and eLearning courses

At Splunk Education, we’re driven by curiosity—both ours and yours! That’s why we’re committed to delivering ...

Splunk AI Assistant for SPL 1.1.0 | Now Personalized to Your Environment for Greater ...

Splunk AI Assistant for SPL has transformed how users interact with Splunk, making it easier than ever to ...

Unleash Unified Security and Observability with Splunk Cloud Platform

     Now Available on Microsoft AzureOn Demand Now Step boldly into the AI revolution with enhanced security ...
Top