Hi eveyone, I'm try to send pihole.log to my syslog-ng server through an splunk universal forwarder.
Details about my system:
I configured following files:
inputs.conf
[monitor:///var/log/pihole.log]
disabled = false
sourcetype = pihole:log
output.conf
[tcpout]
defaultGroup = default-autolb-group
[tcpout:default-autolb-group]
server = 10.20.30.15:514
[tcpout-server://10.20.30.15:514]
props.conf
[dnsmasq]
NO_BINARY_CHECK = true
DATETIME_CONFIG =
TIME_FORMAT = %b %d %H:%M:%S
The issue I'm gonna get is that the log file on the syslog side looks like this:
Dec 22 12:58:04 10.20.30.5 @
Dec 22 12:58:04 10.20.30.5
Dec 22 12:58:04 10.20.30.5 __s2s_capabilities
Dec 22 12:58:04 10.20.30.5 ack=0;compression=0
Dec 22 12:58:04 10.20.30.5 _raw
Dec 22 12:58:24 10.20.30.5 --splunk-cooked-mode-v3--
Dec 22 12:58:24 10.20.30.5 pihole
Dec 22 12:58:24 10.20.30.5 8089
Dec 22 12:58:24 10.20.30.5 @
Dec 22 12:58:24 10.20.30.5
Dec 22 12:58:24 10.20.30.5 __s2s_capabilities
Dec 22 12:58:24 10.20.30.5 ack=0;compression=0
Dec 22 12:58:24 10.20.30.5 _raw
which is not really much 🙂
Do you have a hint for me to solve this issue? I'd be very happy 🙂
Sorry @g_paternicola, I missed that the syslog output processor is not available for UF. The same config should be running if you convert that UF to HF.
@g_paternicola, if you want to forward all data to syslog server you can use UF. You should send data to syslog server by using syslog output. Please try below config,
outputs.conf
[syslog]
defaultGroup=syslogGroup
[syslog:syslogGroup]
server = 10.20.30.15:514
If this reply helps you upvote is appreciated.
@scelikok thank you for your hint! syslog stanza make really sense here... but I'm not gonna get any logs anymore...
Sorry @g_paternicola, I missed that the syslog output processor is not available for UF. The same config should be running if you convert that UF to HF.
Try to index data with the add (https://splunkbase.splunk.com/app/4505/) on and after forward to the syslog.
Yes you can forward the data via outputs.conf or GUI.
Thank you very much for your answer, but is that a good way sending logs to Splunk HF > Syslog-NG and then again to Splunk ?
Hi ,
To forward syslog data I suppose it's better use Splunk Heavyforwarder not Universal Forwarder.
The HF is only a normal splunk instance with Forwarding rule.
However I think it's better index the info logs and send to the syslog NG server.
Even on HF I have to configure inputs.conf and outputs.conf like a UF, so what other should I configure on the HF in order to get the right data and not this garbage? Do I have to install the pihole app in order to get clearly data in and then forward it to my syslog?