Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Questions about CentOS rsyslog and Splunk configuration

InteractM
Explorer
‎09-05-2013 08:54 AM

I have a dedicated syslog server running on CentOS6 (rsyslog) which gathers all logs from other servers/devices (stored in a database).

My questions are:
1. Can I install Splunk on same server?
2. What do I need to do to have Splunk as syslog analyzer (and to keep rsyslog as syslog server)?

Thanks

Tags (3)
Reply
1 Solution
Solved! Jump to solution
Solution

jtrucks
Splunk Employee
Splunk Employee
‎09-05-2013 12:34 PM

You'll need to have rsyslog send a copy to Splunk and a copy into the database. This isn't hard to do with rsyslog.

You could send directly to a Splunk TCP input using:

*.* @@centralserver.example.net

in addition to your database configuration.

Alternatively, have the files written to disk and to your database, and then just have Splunk read those log files.

Splunk automatically parses syslog formatted logs, so you can just send it directly or have it read the files directly.

That's it. 🙂

--
Jesse Trucks
Minister of Magic

View solution in original post

Reply
Solved! Jump to solution
Solution

jtrucks
Splunk Employee
Splunk Employee
‎09-05-2013 12:34 PM

You'll need to have rsyslog send a copy to Splunk and a copy into the database. This isn't hard to do with rsyslog.

You could send directly to a Splunk TCP input using:

*.* @@centralserver.example.net

in addition to your database configuration.

Alternatively, have the files written to disk and to your database, and then just have Splunk read those log files.

Splunk automatically parses syslog formatted logs, so you can just send it directly or have it read the files directly.

That's it. 🙂

--
Jesse Trucks
Minister of Magic
Reply
Solved! Jump to solution

InteractM
Explorer
‎09-09-2013 01:11 PM

OK, got it fixed. There were two issues:

1) to use local IP instead a domain 'localhot'
2) Line *.* @@127.0.0.1 must be added after a line with saving to the DB (as a primary logs storage)

0 Karma
Reply
Solved! Jump to solution

InteractM
Explorer
‎09-09-2013 12:49 PM

Well, I have added

*.* @@localhost

to the rsyslog config and it looks like is not gathering any data (wrong syntax?) neither Syslog seeing anything from syslog (added TCP listening on port 514)

Any clue?

Thanks

0 Karma
Reply
Solved! Jump to solution

InteractM
Explorer
‎09-05-2013 02:16 PM

@@centralserver.example.net is this a location of the server where is Splunk located? Is this not going to loop because is this on same server or it will be parallel connection?

Current rsyslog config connection looks like:
*.* :ommysql:127.0.0.1,rsysdb,user,pass

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...