Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

handling syslog...

a212830
Champion
‎06-26-2013 05:53 PM

Hi,

We are in the midst of implementing Splunk to handle syslog from all of our network devices. I've configured rsyslog to write the logs to a YYYY/MM/DD directory, in a "system-hostname.log" format.
Does anyone have a suggestion on how to handle all of these formats (a dozen+), and allow engineering to add new device types, without intervention on the Splunk side?

Tags (1)
0 Karma
Reply

kristian_kolb
Ultra Champion
‎06-27-2013 02:39 AM

I would re-engineer the rsyslog configuration so that you have a directory structure like

/var/log/netscreen/<hostname>/yyyy-mm-dd.log
/var/log/f5/<hostname>/yyyy-mm-dd.log

etc. You'd have to set up the device-type subdirs manually and make sure that logs from a certain IP gets written to the correct dir. I believe that you can use the rsyslog variables %HOSTNAME% or $fromhostip to create the hostname directories automatically, but you'll have to maintain the mapping of hostname (or IP) to device-type in the rsyslog conf. However, this is probably fairly static, and can be set up regardless of whether the devices are actually sending any logs (yet).

Then you can have a fairly 'static' Splunk config like so;

[monitor:///var/log/netscreen]
host_segment = 4
index = your_index
sourcetype = netscreen_syslog
ignoreOlderThan = 7d

[monitor:///var/log/f5]
host_segment = 4
index = your_index
sourcetype = f5_syslog
ignoreOlderThan = 7d

etc.

Hope this helps,

Kristian

Reply

a212830
Champion
‎06-26-2013 07:09 PM

Currently, the props files has entries for each device model - netscreens, checkpoint, f5.... I'd like to come up with a way to let engineering route the messages to splunk, and not be required (at least not initially) to add some code to process the files. We don't use a generic syslog sourcetype, as it's not detailed enough. So, we have a f5_syslog, netscreen_syslog... which actually comes in handy, since there are a number of extracts that only pertain to certain models.

0 Karma
Reply

lguinn2
Legend
‎06-26-2013 06:34 PM

What do you mean by "without intervention on the Splunk side"? Also, what are the differences in the formats? syslog generally defines a generic format which Splunk understands; if all of the logs follow this format, then the syslog sourcetype should work fine.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Quantify Your Splunk Investment Impact: Introducing Savings Metrics to Value Insights

Building on the foundation established in our initial Value Insights releases, we are introducing the Savings ...

Event Series: Telemetry Pipeline Management

Balancing Scale and Spend: Gaining Control Over High-Volume Metrics in Splunk Observability Cloud As ...

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Evaluating an enterprise observability platform usually goes like this: fill out a form, get a free trial with ...