Getting Data In

Not able to send logs to my syslog-ng server

g_paternicola
Path Finder

Hi eveyone, I'm try to send pihole.log to my syslog-ng server through an splunk universal forwarder. 

Details about my system:
I configured following files:

 

inputs.conf
[monitor:///var/log/pihole.log]
disabled = false
sourcetype = pihole:log


output.conf
[tcpout]
defaultGroup = default-autolb-group
[tcpout:default-autolb-group]
server = 10.20.30.15:514
[tcpout-server://10.20.30.15:514]


props.conf
[dnsmasq]
NO_BINARY_CHECK = true
DATETIME_CONFIG =
TIME_FORMAT = %b %d %H:%M:%S

 

The issue I'm gonna get is that the log file on the syslog side looks like this:

 

Dec 22 12:58:04 10.20.30.5 @
Dec 22 12:58:04 10.20.30.5
Dec 22 12:58:04 10.20.30.5 __s2s_capabilities
Dec 22 12:58:04 10.20.30.5 ack=0;compression=0
Dec 22 12:58:04 10.20.30.5 _raw
Dec 22 12:58:24 10.20.30.5 --splunk-cooked-mode-v3--
Dec 22 12:58:24 10.20.30.5 pihole
Dec 22 12:58:24 10.20.30.5 8089
Dec 22 12:58:24 10.20.30.5 @
Dec 22 12:58:24 10.20.30.5
Dec 22 12:58:24 10.20.30.5 __s2s_capabilities
Dec 22 12:58:24 10.20.30.5 ack=0;compression=0
Dec 22 12:58:24 10.20.30.5 _raw

 

which is not really much 🙂

Do you have a hint for me to solve this issue? I'd be very happy 🙂

0 Karma
1 Solution

scelikok
SplunkTrust
SplunkTrust

Sorry @g_paternicola, I missed that the syslog output processor is not available for UF.  The same config should be running if you convert that UF to HF.

If this reply helps you an upvote and "Accept as Solution" is appreciated.

View solution in original post

scelikok
SplunkTrust
SplunkTrust

@g_paternicola, if you want to forward all data to syslog server you can use UF. You should send data to syslog server by using syslog output. Please try below config,

outputs.conf

[syslog]
defaultGroup=syslogGroup

[syslog:syslogGroup]
server = 10.20.30.15:514

 

If this reply helps you upvote is appreciated.

If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma

g_paternicola
Path Finder

@scelikok thank you for your hint! syslog stanza make really sense here... but I'm not gonna get any logs anymore...

0 Karma

scelikok
SplunkTrust
SplunkTrust

Sorry @g_paternicola, I missed that the syslog output processor is not available for UF.  The same config should be running if you convert that UF to HF.

If this reply helps you an upvote and "Accept as Solution" is appreciated.

aasabatini
Motivator

Try to index data with the add (https://splunkbase.splunk.com/app/4505/) on and after forward to   the syslog.

Yes you can forward the data via outputs.conf or GUI.

“The answer is out there, Neo, and it’s looking for you, and it will find you if you want it to.”

g_paternicola
Path Finder

Thank you very much for your answer, but is that a good way sending logs to Splunk HF > Syslog-NG and then again to Splunk ?

0 Karma

aasabatini
Motivator

Hi ,

To forward syslog data I suppose it's better use Splunk Heavyforwarder not Universal Forwarder.

The HF is only a normal splunk instance with Forwarding rule.

However I think it's better index the info logs  and send to the syslog NG server.

“The answer is out there, Neo, and it’s looking for you, and it will find you if you want it to.”

g_paternicola
Path Finder

Even on HF I have to configure inputs.conf and outputs.conf like a UF, so what other should I configure on the HF in order to get the right data and not this garbage? Do I have to install the pihole app in order to get clearly data in and then forward it to my syslog?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...