Getting Data In

Monitoring syslog-ng on same local Splunk server, is it possible to trigger an email when specific keywords are seen?

New Member

I have syslog-ng logging some Cisco equipment, specifically ISDN q931 debugs. These log files are created and labeled by hostname.dailydate for daily files.

I want to be able to keep syslog-ng logging these files, but Splunk to monitor the data in this folder and or new files for that day. While monitoring, I want to be able to trigger an email with the line details that match a specific number in this debug IE telco ANI. Each time the specific number is seen, trigger a new email with log time and debug details etc.

Is this something that can be done?

0 Karma

New Member

Hi, you can have Splunk read the logfiles you create with syslog-ng, or you can have syslog-ng to send the logs to Splunk via the network.
Regarding the e-mail alert, that can be done with syslog-ng (not too old versions have an smtp destination), and probably with splunk as well.

HTH

Regards,
Robert Fekete
syslog-ng documentation maintainer

0 Karma

New Member

@frobert Fekete syslog-ng 3.5.3 is my version. I know this is a Splunk forum, but if there is an easy way to monitor a log that is created daily for key words and email from there, I would love to know how if you could share.

0 Karma

New Member

Hi, sorry for not getting back to you earlier.
* simple e-mail alerting from syslog-ng
* you can also get daily emails, but that's probably difficult to get and overkill to do in syslog-ng (you need to use a pattern database to identify the related messages, and use message correlation and triggered actions), see https://www.balabit.com/documents/syslog-ng-ose-3.5-guides/en/syslog-ng-ose-guide-admin/html/chapter...

For using syslog-ng with splunk, there is a whitepaper for the commercial version of syslog-ng, but most of it applies to the open source version as well, so it might be interesting for you: https://www.balabit.com/documents/pdf/syslog-ng-pe-whitepaper-splunk.pdf

Regards,

Robert

0 Karma

SplunkTrust
SplunkTrust

Yes, I believe what you describe can be done. The first step is to get the Cisco logs into Splunk as it's not clear if you've done this already. You may be able use an existing app for this.

Once you have the data indexed, you can schedule a real-time search for the specific number and have that search generate an emailed alert when the number is found.

---
If this reply helps you, an upvote would be appreciated.
0 Karma