Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

is my syslog-ng wrong ?

ryanaa
Explorer
‎03-20-2024 01:28 AM

我想使用 syslog-ng 將資料從通用轉寄器輸入到我的搜尋頭

我將使用 TCP,但我不知道哪裡出了問題,我無法在搜索頭中顯示我的數據

這是我的syslog-ng splunk.conf

 

 

 

template syslog {
        template("${DATE} ${HOST} ${MESSAGE}\n");
};

rewrite rewrite_stripping_priority {
        subst("^\<\\d+>", "", value(MESSAGE));
};

source src_udp_514 {
        udp(ip("0.0.0.0")  so_rcvbuf(16777216) keep_timestamp(yes) flags(no-parse));
};

destination dest_tcp_10001 {
        tcp("127.0.0.1" port(10001) template("syslog"));
};

filter f_linux_server {
        netmask(172.18.0.8/32)
};

destination dest_tcp_10002 {
        tcp("127.0.0.1" port(10002) template("syslog"));
};

filter f_linux_server2 {
        netmask(172.18.0.9/32)
};

log {
        source(src_udp_514);
        rewrite(rewrite_stripping_priority);
        if (filter(f_linux_server)) {
                destination(dest_tcp_10001);
        }
        elif (filter(f_linux_server2)) {
                destination(dest_tcp_10002);
        };
};

 

 

 

i also already set tcp 10001 and 10002 on my universal forwarder

 

 

 

Labels (2)
Labels
0 Karma
Reply

Bazsi771
New Member
‎04-12-2024 09:50 PM

I tried to copy-paste your chinese text to google translate to understand what you want to accomplish, but I am not sure the translation is correct:

"I want to use syslog-ng to input data from the universal forwarder to my search head I'm going to use TCP but I don't know what's wrong and I can't display my data in the search header "

your syslog-ng seems to be receiving syslog data on port 514 and then delivering the data to 10001/10002 TCP depending on the source IP while doing some transformation. Is 10001 and 10002 where your search heads are? Or are those ports opened by UF?

Usually the easiest way to send syslog data to Splunk is by using HEC (HTTP Event Collector), and if you were using that you can simply assign host/source/sourcetype to a specific log message, no need to use separate ports.

Also, you are manually getting rid of the priority header (e.g. removing <NNN> in the front), but that would be taken care of by the actual syslog parser in syslog-ng that you disabled via flags(no-parse).

 

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...

SplunkTrust Application Period is Officially OPEN!

It's that time, folks! The application/nomination period for the 2026-2027 SplunkTrust is officially open. If ...