Splunk as a syslog server

stevetaylormnp · ‎02-13-2013

Can Splunk be used as a syslog server receiving syslog messages directly from a firewall or is a separate syslog server required?

jeff · ‎02-13-2013

It can, but the best practice is to use a dedicated syslog receiver and have splunk index the individual log files. See the answer at http://splunk-base.splunk.com/answers/28680

MuS · ‎02-13-2013

hi stevetaylormnp

Yes, it can. see examples here

Update: working link is here http://docs.splunk.com/Documentation/Splunk/latest/Data/Monitornetworkports

But keep in mind, if you setup a single splunk indexer to receive syslog, your syslog data is lost while you restart your splunk.

cheers,

muS

MuS · ‎10-30-2013

I'm not talking about the already indexed syslog data. If you setup Splunk to receive syslog data and reboot / restart your Splunk server, who will then receive those syslog packets? Correct, no one will = data lost in UDP space.......
To prevent such things you could setup a syslog-ng server as master syslog collector, save everything into a file and use a universal forwarder to read and sent this file to the indexer.

hope this makes more sense now. Cheers , MuS

season88481 · ‎08-01-2016

Ops, this page doesn't exist...:-)

MuS · ‎08-01-2016

updated 😉

stefanlasiewski · ‎10-29-2013

What do you mean by "your syslog data is lost while you restart your Splunk"? Splunk stores syslog input inside of files along with all of it's other data-- it won't lose the data due to a simple restart.

Splunk as a syslog server

Developer Spotlight with Brett Adams

Index This | What can you do to make 55,555 equal 500?

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...