Getting Data In

What's the next step to setup my universal forwarder on a syslog server?

jgorman_THG
Explorer

Hello,

I am trying to bring a client's syslog data into Splunk using a universal forwarder (UF) on a syslog server. I am getting Splunk internal logs, and I am getting Linux logs off the box.

The permissions seem to be set correctly and I am not seeing any errors in the Splunk internal logs.

Any ideas of where I can go from here?

My input stanza looks like the following:

[monitor:///var/log/client_name]
recursive = true
crcSalt =
queue = parsingQueue
sourcetype = netscreen:firewall
host_segment = 4
disabled = 0

Thanks,

JG

0 Karma

bheemireddi
Communicator

Hi jgorman_THG,

It would be a good practice to collect these syslogs and write into the directories that can be accessible by splunk user. syslog-ng does have a lot of features where you can collect/filter and write the messages in appropriate dirs you wanted.This process makes it easier to configure the inputs on the UF and parsing the logs for the metadata like host field etc.

0 Karma

mattymo
Splunk Employee
Splunk Employee

Hey JG!

/var/log is usually owned by root or by admin groups. You likely just need to chown the log file, or have the splunk user added to adm group, etc. Make sure the sysadmin configures logrotate to keep the new perms too!

You can confirm by checking the status of any input with the super handy command ./splunk list inputstatus on the UF. I believe 6.3+ forwarders support the command, so as long its a newish UF, it will tell you exactly whats up!

- MattyMo
0 Karma
Get Updates on the Splunk Community!

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...

State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...

For the past four years, Splunk has partnered with Enterprise Strategy Group to conduct a survey that gauges ...

Data-Driven Success: Splunk & Financial Services

Splunk streamlines the process of extracting insights from large volumes of data. In this fast-paced world, ...