Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

What's the next step to setup my universal forwarder on a syslog server?

jgorman_THG
Explorer
‎08-17-2017 08:07 AM

Hello,

I am trying to bring a client's syslog data into Splunk using a universal forwarder (UF) on a syslog server. I am getting Splunk internal logs, and I am getting Linux logs off the box.

The permissions seem to be set correctly and I am not seeing any errors in the Splunk internal logs.

Any ideas of where I can go from here?

My input stanza looks like the following:

[monitor:///var/log/client_name]
recursive = true
crcSalt =
queue = parsingQueue
sourcetype = netscreen:firewall
host_segment = 4
disabled = 0

Thanks,

JG

0 Karma
Reply

bheemireddi
Communicator
‎08-17-2017 06:35 PM

Hi jgorman_THG,

It would be a good practice to collect these syslogs and write into the directories that can be accessible by splunk user. syslog-ng does have a lot of features where you can collect/filter and write the messages in appropriate dirs you wanted.This process makes it easier to configure the inputs on the UF and parsing the logs for the metadata like host field etc.

0 Karma
Reply

mattymo
Splunk Employee
Splunk Employee
‎08-17-2017 05:22 PM

Hey JG!

/var/log is usually owned by root or by admin groups. You likely just need to chown the log file, or have the splunk user added to adm group, etc. Make sure the sysadmin configures logrotate to keep the new perms too!

You can confirm by checking the status of any input with the super handy command ./splunk list inputstatus on the UF. I believe 6.3+ forwarders support the command, so as long its a newish UF, it will tell you exactly whats up!

- MattyMo
0 Karma
Reply
Get Updates on the Splunk Community!

Your Guide to Splunk Digital Experience Monitoring

A flawless digital experience isn't just an advantage, it's key to customer loyalty and business success. But ...

Data Management Digest – November 2025

  Welcome to the inaugural edition of Data Management Digest! As your trusted partner in data innovation, the ...

Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA

Join us on Wed, Dec 10. at 10AM PST / 1PM EST for a live webinar and demo with Splunk experts! Discover how ...