Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Rsyslog configuration with Splunk

Karthikeya
Path Finder
‎11-21-2024 05:39 AM

Please help me in configuring rsyslog to Splunk. Our rsyslog server will receive the logs from network devices and our rsyslog has UF installed. 

I have no idea of how to configure this and what rsyslog means?

Please help me with step by step procedure of how to configure this to our deployment server or indexer? 

Documentation will be highly appreciated.

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎11-21-2024 12:19 PM

Well, rsyslog configuration can be as simple as

*.* /var/log/all.log

but can also span into several hundreds of files, with complicated processing rules and sending data to multiple destinations and such.

Rsyslog recently had a major overhaul of its docs page  https://www.rsyslog.com/doc/v8-stable/index.html (the old docs were a bit confusing at times) and it has a relatively responsive mailing list https://lists.adiscon.net/mailman/listinfo/rsyslog

0 Karma
Reply

dural_yyz
Builder
‎11-21-2024 06:09 AM

The rsyslog is a brand/flavour of application which is dedicated to syslog message protocol and handling.  There are alternatives which the most favorite alternative is likely syslog-ng.  So don't get caught up on the term rsyslog.

https://www.rsyslog.com/doc/configuration/index.html

Configuring rsyslog or any syslog for your environment can be easy but planning to reduce any gotcha moments requires some for thought.  Separating technology and hosts being key things to help make Splunk ingestion much easier.  A sample thought would be to have all inbound messages to the aggregator server written to file structure such as:

/logs/<vendor>/<technology>/<host>/<filename.something>

ex

/logs/cisco/isa/127.0.0.1/authentication.log

/logs/cisco/isa/192.168.0.1/metrics.log

* completely fabricated examples

Have the logs rotate on a schedule (ie 15mins or 60 mins) and remove files older than 'x' amount of time.  How you do this will be based on volume of logs written and available storage.  I've worked on a x3 original file span as a working bias but again your system may dictate that.  I always keep some incase the UF goes offline for a short period of time, you can recover logs you may otherwise miss.

 

Once you have that in place then you need to follow the normal UF ingestion process which I wont go through here since your question was more on rsyslog than UF and this community board has far more UF answers than syslog specific examples that are easily searched.

Reply

gcusello
SplunkTrust
SplunkTrust
‎11-21-2024 06:07 AM

Hi @Karthikeya ,

you have to configure rsyslog using the documentation that you can find at https://www.rsyslog.com/doc/index.html

rsyslog writes the received syslogs in files whose names are defined in the rsyslog configuration file.

Usually part of the path is the hostname that sent logs so you can use it in the inputs.conf configuration.

What's your issue: how to configure rsyslog, how to configure UF or both?

for rsyslog, I already sent the documentation, for the UF input you can see at https://docs.splunk.com/Documentation/Splunk/9.3.2/Data/Usingforwardingagents in addition there are many videos about this.

Ciao.

Giuseppe

Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...