Getting Data In
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Rsyslog configuration with Splunk

Karthikeya
Communicator
‎11-21-2024 05:39 AM

Please help me in configuring rsyslog to Splunk. Our rsyslog server will receive the logs from network devices and our rsyslog has UF installed. 

I have no idea of how to configure this and what rsyslog means?

Please help me with step by step procedure of how to configure this to our deployment server or indexer? 

Documentation will be highly appreciated.

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎11-21-2024 12:19 PM

Well, rsyslog configuration can be as simple as

*.* /var/log/all.log

but can also span into several hundreds of files, with complicated processing rules and sending data to multiple destinations and such.

Rsyslog recently had a major overhaul of its docs page  https://www.rsyslog.com/doc/v8-stable/index.html (the old docs were a bit confusing at times) and it has a relatively responsive mailing list https://lists.adiscon.net/mailman/listinfo/rsyslog

0 Karma
Reply

dural_yyz
Motivator
‎11-21-2024 06:09 AM

The rsyslog is a brand/flavour of application which is dedicated to syslog message protocol and handling.  There are alternatives which the most favorite alternative is likely syslog-ng.  So don't get caught up on the term rsyslog.

https://www.rsyslog.com/doc/configuration/index.html

Configuring rsyslog or any syslog for your environment can be easy but planning to reduce any gotcha moments requires some for thought.  Separating technology and hosts being key things to help make Splunk ingestion much easier.  A sample thought would be to have all inbound messages to the aggregator server written to file structure such as:

/logs/<vendor>/<technology>/<host>/<filename.something>

ex

/logs/cisco/isa/127.0.0.1/authentication.log

/logs/cisco/isa/192.168.0.1/metrics.log

* completely fabricated examples

Have the logs rotate on a schedule (ie 15mins or 60 mins) and remove files older than 'x' amount of time.  How you do this will be based on volume of logs written and available storage.  I've worked on a x3 original file span as a working bias but again your system may dictate that.  I always keep some incase the UF goes offline for a short period of time, you can recover logs you may otherwise miss.

 

Once you have that in place then you need to follow the normal UF ingestion process which I wont go through here since your question was more on rsyslog than UF and this community board has far more UF answers than syslog specific examples that are easily searched.

Reply

gcusello
SplunkTrust
SplunkTrust
‎11-21-2024 06:07 AM

Hi @Karthikeya ,

you have to configure rsyslog using the documentation that you can find at https://www.rsyslog.com/doc/index.html

rsyslog writes the received syslogs in files whose names are defined in the rsyslog configuration file.

Usually part of the path is the hostname that sent logs so you can use it in the inputs.conf configuration.

What's your issue: how to configure rsyslog, how to configure UF or both?

for rsyslog, I already sent the documentation, for the UF input you can see at https://docs.splunk.com/Documentation/Splunk/9.3.2/Data/Usingforwardingagents in addition there are many videos about this.

Ciao.

Giuseppe

Reply
Get Updates on the Splunk Community!

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

In today’s evolving threat landscape, we understand you’re constantly bombarded with phishing and malware ...

AppDynamics is now part of Splunk Ideas

Hello Splunkers, We have exciting news for you! AppDynamics has been added to the Splunk Ideas Portal. Which ...

Advanced Splunk Data Management Strategies

Join us on Wednesday, May 14, 2025, at 11 AM PDT / 2 PM EDT for an exclusive Tech Talk that delves into ...
Top