Getting Data In

Splunk as a syslog server

stevetaylormnp
Explorer

Can Splunk be used as a syslog server receiving syslog messages directly from a firewall or is a separate syslog server required?

Tags (1)

jeff
Contributor

It can, but the best practice is to use a dedicated syslog receiver and have splunk index the individual log files. See the answer at http://splunk-base.splunk.com/answers/28680

MuS
SplunkTrust
SplunkTrust

hi stevetaylormnp

Yes, it can. see examples here

Update: working link is here http://docs.splunk.com/Documentation/Splunk/latest/Data/Monitornetworkports

But keep in mind, if you setup a single splunk indexer to receive syslog, your syslog data is lost while you restart your splunk.

cheers,

muS

MuS
SplunkTrust
SplunkTrust

I'm not talking about the already indexed syslog data. If you setup Splunk to receive syslog data and reboot / restart your Splunk server, who will then receive those syslog packets? Correct, no one will = data lost in UDP space.......
To prevent such things you could setup a syslog-ng server as master syslog collector, save everything into a file and use a universal forwarder to read and sent this file to the indexer.

hope this makes more sense now. Cheers , MuS

0 Karma

season88481
Contributor

Ops, this page doesn't exist...:-)

0 Karma

MuS
SplunkTrust
SplunkTrust

updated 😉

0 Karma

stefanlasiewski
Contributor

What do you mean by "your syslog data is lost while you restart your Splunk"? Splunk stores syslog input inside of files along with all of it's other data-- it won't lose the data due to a simple restart.

0 Karma
.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!