Getting Data In

Using syslog to forward data or Universal forwarder

New Member

I have setup splunk 6.1.1. In our environment we are running rsyslog in a failover configuration.
Rsyslog is collecting all the data and then forwarding the data to Splunk. Splunk is configured
with a tcp receiver on port 514. The one issue we are running into is we are getting a large number
of entries that are not syslog compliant. We are then getting hosts with names such as 2014,14z etc.
I am looking for advice on what would be the best way to reduce these errors? Would the universal forwarder work better at detecting log types and then forwarding it to Splunk?

0 Karma


Depending on what information / insights you're looking for, there might be certain info needed from forwarders, in order to put the right data in the right indexes to make the Apps work as designed.
SplunkForwarder can collect metrics / stats from Windows, Linux, etc. that are often not easily attainable via syslog (See About forwarding and receiving).

How many syslog sources are you sending through your rsyslog, and what OS are they?
If you aren't sure how to track any possible trends related to where the malformed log entries, then setting up Deployment and installing forwarders instead of syslog could definitely help you clean up your data (format errors), as well as provide additional data to bring the apps to life.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...