Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Using syslog to forward data or Universal forwarder

andywt123
New Member
‎06-10-2014 11:51 AM

I have setup splunk 6.1.1. In our environment we are running rsyslog in a failover configuration.
Rsyslog is collecting all the data and then forwarding the data to Splunk. Splunk is configured
with a tcp receiver on port 514. The one issue we are running into is we are getting a large number
of entries that are not syslog compliant. We are then getting hosts with names such as 2014,14z etc.
I am looking for advice on what would be the best way to reduce these errors? Would the universal forwarder work better at detecting log types and then forwarding it to Splunk?

0 Karma
Reply

bcdady
Explorer
‎12-17-2014 09:00 PM

Depending on what information / insights you're looking for, there might be certain info needed from forwarders, in order to put the right data in the right indexes to make the Apps work as designed.
SplunkForwarder can collect metrics / stats from Windows, Linux, etc. that are often not easily attainable via syslog (See About forwarding and receiving).

How many syslog sources are you sending through your rsyslog, and what OS are they?
If you aren't sure how to track any possible trends related to where the malformed log entries, then setting up Deployment and installing forwarders instead of syslog could definitely help you clean up your data (format errors), as well as provide additional data to bring the apps to life.

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to July Tech Talks, Office Hours, and Webinars!

What are Community Office Hours?Community Office Hours is an interactive 60-minute Zoom series where ...

Updated Data Type Articles, Anniversary Celebrations, and More on Splunk Lantern

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

A Prelude to .conf25: Your Guide to Splunk University

Heading to Boston this September for .conf25? Get a jumpstart by arriving a few days early for Splunk ...