Solved: Not able to send logs to my syslog-ng server

g_paternicola · ‎12-22-2020

Hi eveyone, I'm try to send pihole.log to my syslog-ng server through an splunk universal forwarder.

Details about my system:
I configured following files:

inputs.conf
[monitor:///var/log/pihole.log]
disabled = false
sourcetype = pihole:log


output.conf
[tcpout]
defaultGroup = default-autolb-group
[tcpout:default-autolb-group]
server = 10.20.30.15:514
[tcpout-server://10.20.30.15:514]


props.conf
[dnsmasq]
NO_BINARY_CHECK = true
DATETIME_CONFIG =
TIME_FORMAT = %b %d %H:%M:%S

The issue I'm gonna get is that the log file on the syslog side looks like this:

Dec 22 12:58:04 10.20.30.5 @
Dec 22 12:58:04 10.20.30.5
Dec 22 12:58:04 10.20.30.5 __s2s_capabilities
Dec 22 12:58:04 10.20.30.5 ack=0;compression=0
Dec 22 12:58:04 10.20.30.5 _raw
Dec 22 12:58:24 10.20.30.5 --splunk-cooked-mode-v3--
Dec 22 12:58:24 10.20.30.5 pihole
Dec 22 12:58:24 10.20.30.5 8089
Dec 22 12:58:24 10.20.30.5 @
Dec 22 12:58:24 10.20.30.5
Dec 22 12:58:24 10.20.30.5 __s2s_capabilities
Dec 22 12:58:24 10.20.30.5 ack=0;compression=0
Dec 22 12:58:24 10.20.30.5 _raw

which is not really much 🙂

Do you have a hint for me to solve this issue? I'd be very happy 🙂

scelikok · ‎12-22-2020

Sorry @g_paternicola, I missed that the syslog output processor is not available for UF. The same config should be running if you convert that UF to HF.

If this reply helps you an upvote and "Accept as Solution" is appreciated.

View solution in original post

scelikok · ‎12-22-2020

@g_paternicola, if you want to forward all data to syslog server you can use UF. You should send data to syslog server by using syslog output. Please try below config,

outputs.conf

[syslog]
defaultGroup=syslogGroup

[syslog:syslogGroup]
server = 10.20.30.15:514

If this reply helps you upvote is appreciated.

If this reply helps you an upvote and "Accept as Solution" is appreciated.

g_paternicola · ‎12-22-2020

@scelikok thank you for your hint! syslog stanza make really sense here... but I'm not gonna get any logs anymore...

scelikok · ‎12-22-2020

Sorry @g_paternicola, I missed that the syslog output processor is not available for UF. The same config should be running if you convert that UF to HF.

If this reply helps you an upvote and "Accept as Solution" is appreciated.

aasabatini · ‎12-22-2020

Try to index data with the add (https://splunkbase.splunk.com/app/4505/) on and after forward to the syslog.

Yes you can forward the data via outputs.conf or GUI.

“The answer is out there, Neo, and it’s looking for you, and it will find you if you want it to.”

g_paternicola · ‎12-22-2020

Thank you very much for your answer, but is that a good way sending logs to Splunk HF > Syslog-NG and then again to Splunk ?

aasabatini · ‎12-22-2020

Hi ,

To forward syslog data I suppose it's better use Splunk Heavyforwarder not Universal Forwarder.

The HF is only a normal splunk instance with Forwarding rule.

However I think it's better index the info logs and send to the syslog NG server.

“The answer is out there, Neo, and it’s looking for you, and it will find you if you want it to.”

g_paternicola · ‎12-22-2020

Even on HF I have to configure inputs.conf and outputs.conf like a UF, so what other should I configure on the HF in order to get the right data and not this garbage? Do I have to install the pihole app in order to get clearly data in and then forward it to my syslog?

Not able to send logs to my syslog-ng server

inputs.conf

Linux

props.conf

sourcetype

universal forwarder

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life