Getting Data In

What's the next step to setup my universal forwarder on a syslog server?



I am trying to bring a client's syslog data into Splunk using a universal forwarder (UF) on a syslog server. I am getting Splunk internal logs, and I am getting Linux logs off the box.

The permissions seem to be set correctly and I am not seeing any errors in the Splunk internal logs.

Any ideas of where I can go from here?

My input stanza looks like the following:

recursive = true
crcSalt =
queue = parsingQueue
sourcetype = netscreen:firewall
host_segment = 4
disabled = 0



0 Karma


Hi jgorman_THG,

It would be a good practice to collect these syslogs and write into the directories that can be accessible by splunk user. syslog-ng does have a lot of features where you can collect/filter and write the messages in appropriate dirs you wanted.This process makes it easier to configure the inputs on the UF and parsing the logs for the metadata like host field etc.

0 Karma

Splunk Employee
Splunk Employee

Hey JG!

/var/log is usually owned by root or by admin groups. You likely just need to chown the log file, or have the splunk user added to adm group, etc. Make sure the sysadmin configures logrotate to keep the new perms too!

You can confirm by checking the status of any input with the super handy command ./splunk list inputstatus on the UF. I believe 6.3+ forwarders support the command, so as long its a newish UF, it will tell you exactly whats up!

- MattyMo
0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!