Getting Data In

Syslog-ng, filter by ip

Path Finder

I have some firewalls and stuff like that send logs to my Splunk server (using normal syslog at the moment). For now in "search" there are only one source "udp:514". I would like to filter so it lists all the different source (by ip, or by name i define for the source) I heard that you use syslog-ng for it. I have searched a bit but havt found any real good guides. Can someone push me in the right direction?

Tags (1)


It's worth noting that if you want to override only a few special cases, you may wish to use a transform instead. Take a look at:

If you decide to keep Splunk as your listener, you may want to make sure that you have DNS resolution turned on, either through the Manager or by setting connection_host = dns in the stanza for port 514 in inputs.conf.

That out of the way, there are some other advantages to using syslog-ng, and many people consider that a best-practice. In particular, it gives you more freedom to restart Splunk without losing events.

Configuring for use with syslog-ng

What follows is a rough guide to setting it all up. Some options will vary depending on your OS and distribution.

By default, Splunk will name each source to the path of the syslog-ng logfile on your Splunk server, e.g., source=/inputs/syslog/myhost/messages.

You'll also want to take a look at the syslog-ng Administrators Guide for more detail on the syslog-ng configuration:

Install syslog-ng

First, you'll need to actually install syslog-ng using the normal procedure for your OS (sudo yum install syslog-ng, or sudo apt-get install syslog-ng, or whatever).

You may need to uninstall or disable your existing syslog daemon before syslog-ng can be used.

Configure syslog-ng

Then, configure it to listen for incoming messages and save them to individual files based on where the message is coming from.

Note that this is not a complete configuration - you'll need to merge it with your default config file. Some additional tweaks, like flattening each section to a single line, may be needed if your distribution uses syslog-ng version 3.x.

# Misc options - use or leave out as desired.
options {
    # Resolve names from /etc/hosts, but don't do DNS lookups
    # Set to 'yes' if you want full DNS (slightly higher risk of DoS and delays)

    # Increase the maximum allowed length of an incoming message

# Start listening for messages on TCP and UDP ports
source s_remote {
    tcp(ip( port(514));
    udp(ip( port(514));

# Define a destination file or files
# Dumps all entries for that host into one file. Replace 'messages'
# with '$FACILITY' if you want to break out individual syslog facility.
destination d_split_by_host {

# Route messages coming in via TCP or UDP sources to the right destination
log { source(s_remote); destination(d_split_by_host); flags(final); };

Disable Splunk listening on port 514

Turn off Splunk's listener on port 514, so that syslog-ng will be able to bind to the port.

In inputs.conf set:

disabled = true

or just delete the stanza for port 514 altogether.

Restart syslog-ng

Restart syslog-ng with /etc/init.d/syslog-ng restart or equivalent.

Verify that the syslog daemon is now listening on port 514 (sudo netstat -anp | grep 514 is one way).

Configure Splunk

Now, configure Splunk to monitor each directory. In inputs.conf:

disabled = false
host_segment = 3
_blacklist = (.*\.gz$)|(lost+found)

By using host_segment, Splunk will automatically assign the host value based on the directory name, which syslog-ng will have created to match the IP address or hostname.

Override sourcetypes as needed

One of the disadvantages of this approach comes when Splunk fails to automatically recognize the sourcetype of log entries, especially for small files. You can override those as needed in props.conf:


Set up Log Rotation

At this point, you should be able to start getting data into Splunk, but your log files will grow indefinitely. To prune them, if you are running logrotate, you can create a new file at /etc/logrotate.d/inputs-syslog:

/inputs/syslog/*/messages {
    minsize 10M
    rotate 1
        /etc/rc.d/init.d/syslog-ng reload 2>/dev/null

You'll need to add additional filenames (not just 'messages') for each syslog facility if you decide to use $FACILITY in syslog-ng's configuration.


is it possible to check those configs on ng version 3?
Those are really different it seems!

0 Karma

Path Finder

Thanks very much, much more detail in the answer then i excpected! Works like a charm.

0 Karma
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...