Getting Data In
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

syslog configuration

riqbal
Communicator
‎05-17-2018 04:51 AM

First Part
I configure central syslog server where I planned to have all logs from all syslog devices.
my syslog configuration is below:

$ModLoad imudp
$UDPServerRun 514
$template RemoteLogs,"/central/%HOSTNAME%/%HOSTNAME%.log"
. ?RemoteLogs
&stop

local system logs are also being saved under /central/localhostname.
how can I fix this issue.

====================
2nd Part

However at this point I am getting logs from sophos and they are saved at /central/$hostname$/gateway.log
I install the UF on syslog server and below is my inputs.conf file.

[root@sysxx ~]# cat /opt/splunkforwarder/etc/system/local/inputs.conf

[default]

[monitor:///cental/gateway/]
index = sophos
sourcetype = sophos:utm:firewall
disabled = 0

All my logs are going to main index.
If I move index and sourcetype parameter above to [monitor:///cental/gateway/] then I can see the logs under index=sophos.

how can I solve this.

in future I will have logs from more data sources and I want to index them under different index name.

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jkat54
SplunkTrust
SplunkTrust
‎05-20-2018 06:23 AM

1st part... need to know what version of syslog you’re running.

2nd part... usually achieve this with filters at syslog level if you’re comfortable with that, or virtual ips on the existing NIC. With filters, see your syslog documentation on how to implement. In general you’ll filter certain hosts to certain folder paths.

With VIPs, you’ll configure syslog to listen on specific IPs and send those to specific file paths.

Remember that you can only bind a single port once per IP address. But you can add as many IPs to a single network interface card as you like (up to a very large number), however this can affect performance negatively too. In larger syslog environments it’s not uncommon to see 4+ network cards in use on each syslog server, and perhaps some load balancers as well.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

jkat54
SplunkTrust
SplunkTrust
‎05-20-2018 06:23 AM

1st part... need to know what version of syslog you’re running.

2nd part... usually achieve this with filters at syslog level if you’re comfortable with that, or virtual ips on the existing NIC. With filters, see your syslog documentation on how to implement. In general you’ll filter certain hosts to certain folder paths.

With VIPs, you’ll configure syslog to listen on specific IPs and send those to specific file paths.

Remember that you can only bind a single port once per IP address. But you can add as many IPs to a single network interface card as you like (up to a very large number), however this can affect performance negatively too. In larger syslog environments it’s not uncommon to see 4+ network cards in use on each syslog server, and perhaps some load balancers as well.

0 Karma
Reply
Solved! Jump to solution

riqbal
Communicator
‎05-21-2018 12:32 AM

Syslog version is "rsyslogd 8.24.0,"

my second point was related to index issue.

Reply
Solved! Jump to solution

jkat54
SplunkTrust
SplunkTrust
‎05-21-2018 07:14 AM

Mine too...

in syslog, listen on multiple network cards, multiple vips, multiple ports, each with their own data folder paths.

Then in inputs.conf use wildcards and monitor statements:

[monitor:///path/to/Cisco/data/*.log]
index=cisco

And so on

0 Karma
Reply
Solved! Jump to solution

riqbal
Communicator
‎05-22-2018 12:29 AM

by writing index statement under monitor statement, the logs are still going in main index. but if i write index statement above [monitor:///cental/gateway/]), the logs are getting saved in index=Sophos.
let me explain in more detail:
1- I have one syslog server where all the network devices sending logs and that logs are saving at
/central/$hostname$/$hostname$.log
2- I install UF on that syslog server and configure it to send logs to HF.
3- with this config(as shown above), all logs are going to main index.

Interestingly, when I define index on top(before [monitor:///cental/gateway/]), the logs are getting saved in index=Sophos.

0 Karma
Reply
Solved! Jump to solution

jkat54
SplunkTrust
SplunkTrust
‎05-22-2018 07:48 AM 
Can you add *.log to your monitor stanza and try again?

Also can you completely delete the monitor statement and retype it?  Don’t copy and paste.  It seems as if a special character is causing the ] on the end of [default] to be ignored.
Reply
Solved! Jump to solution

riqbal
Communicator
‎05-23-2018 12:59 AM

HI jkat54,

I rewrite the whole stanzas again.
no copy/paste.

below is my final inputs.conf
[root@xx bin]# cat /opt/splunkforwarder/etc/system/local/inputs.conf
[default]

[monitor:///cxxal/xx/xxay.log]
disabled = 0
index = sxphxs
sourcetype = sxphxs:firewall

now all logs are appearing under sxphxs index
great
thanks for this smart tip.

0 Karma
Reply
Get Updates on the Splunk Community!

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

In today’s evolving threat landscape, we understand you’re constantly bombarded with phishing and malware ...

AppDynamics is now part of Splunk Ideas

Hello Splunkers, We have exciting news for you! AppDynamics has been added to the Splunk Ideas Portal. Which ...

Advanced Splunk Data Management Strategies

Join us on Wednesday, May 14, 2025, at 11 AM PDT / 2 PM EDT for an exclusive Tech Talk that delves into ...
Top