Rsyslog configuration with Splunk

Getting Data In

Please help me in configuring rsyslog to Splunk. Our rsyslog server will receive the logs from network devices and our rsyslog has UF installed.

I have no idea of how to configure this and what rsyslog means?

Please help me with step by step procedure of how to configure this to our deployment server or indexer?

Documentation will be highly appreciated.

Well, rsyslog configuration can be as simple as

*.* /var/log/all.log

but can also span into several hundreds of files, with complicated processing rules and sending data to multiple destinations and such.

Rsyslog recently had a major overhaul of its docs page https://www.rsyslog.com/doc/v8-stable/index.html (the old docs were a bit confusing at times) and it has a relatively responsive mailing list https://lists.adiscon.net/mailman/listinfo/rsyslog

The rsyslog is a brand/flavour of application which is dedicated to syslog message protocol and handling. There are alternatives which the most favorite alternative is likely syslog-ng. So don't get caught up on the term rsyslog.

https://www.rsyslog.com/doc/configuration/index.html

Configuring rsyslog or any syslog for your environment can be easy but planning to reduce any gotcha moments requires some for thought. Separating technology and hosts being key things to help make Splunk ingestion much easier. A sample thought would be to have all inbound messages to the aggregator server written to file structure such as:

/logs/<vendor>/<technology>/<host>/<filename.something>

/logs/cisco/isa/127.0.0.1/authentication.log

/logs/cisco/isa/192.168.0.1/metrics.log

* completely fabricated examples

Have the logs rotate on a schedule (ie 15mins or 60 mins) and remove files older than 'x' amount of time. How you do this will be based on volume of logs written and available storage. I've worked on a x3 original file span as a working bias but again your system may dictate that. I always keep some incase the UF goes offline for a short period of time, you can recover logs you may otherwise miss.

Once you have that in place then you need to follow the normal UF ingestion process which I wont go through here since your question was more on rsyslog than UF and this community board has far more UF answers than syslog specific examples that are easily searched.

Hi @Karthikeya ,

you have to configure rsyslog using the documentation that you can find at https://www.rsyslog.com/doc/index.html

rsyslog writes the received syslogs in files whose names are defined in the rsyslog configuration file.

Usually part of the path is the hostname that sent logs so you can use it in the inputs.conf configuration.

What's your issue: how to configure rsyslog, how to configure UF or both?

for rsyslog, I already sent the documentation, for the UF input you can see at https://docs.splunk.com/Documentation/Splunk/9.3.2/Data/Usingforwardingagents in addition there are many videos about this.

Ciao.

Giuseppe

Get Updates on the Splunk Community!

Rsyslog configuration with Splunk

indexer

inputs.conf

props.conf

syslog

transforms.conf

universal forwarder

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Join the Conversation

Rsyslog configuration with Splunk

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.