Getting Data In

syslog server ip to monitor access.log via 514 port

Communicator
######################## Mcafee ################################
$template RemoteHostMcafee,"/applis/LMD/logs/mcafee/%HOSTNAME%/%$MONTH%-%$DAY%.log"

## process mcafee  messages
# define new ruleset and add rules to it:
$RuleSet mcafee
*.* ?RemoteHostMcafee

## bind ruleset to tcp listener
$InputTCPServerBindRuleset mcafee

## and activate it:
$InputTCPServerRun 514

## bind ruleset to udp listener
$InputUDPServerBindRuleset mcafee
## and activate it:
$UDPServerRun 514

I have added above patch of code to rsyslog.conf file to get the data coming via port 514 but even then i am not seeing the machine ips folder created under mcafee directory.
Is there any other configuration which i need to do to get the logs to splunk ?

Tags (2)
0 Karma

Communicator

As FrankVl said, getting your logs into Splunk is a separate process, for which you usually use a Splunk Universal Forwarder with an inputs.conf to monitor the folder you create for files.

On your rsyslog service, one thing I note is that you used "%HOSTNAME%", which may or may not map to the IP addresses of machines sending logs to this rsyslog server -- it could be names instead, depending on the rsyslog server config and syslog protocol version on those clients.

One thing to try (assuming your rsyslog server is Linux) is to use tcpdump to see if there are things coming in on the UDP port 514 at all. If there are, then you may go one step further by capturing some packets and look at them in Wireshark to see what the syslog messages look like.

0 Karma

Super Champion

Please try (old rsyslog format-style)

######################## Mcafee ################################
$template RemoteHostMcafee,"/applis/LMD/logs/mcafee/%HOSTNAME%/%$MONTH%-%$DAY%.log"

# better template is to identify Port & facility & severity
# $template RemoteHostMcafee,"/applis/LMD/logs/mcafee/514/%HOSTNAME%/%syslogfacility-text%.%syslogseverity-text%.log"

## process mcafee  messages
# define new ruleset and add rules to it:
$RuleSet mcafee
$RulesetCreateMainQueue on                 # create ruleset-specific queue

*.* ?RemoteHostMcafee;RSYSLOG_SyslogProtocol23Format

& ~
# end of rules

## bind ruleset to tcp listener
$InputTCPServerBindRuleset mcafee
$InputTCPServerRun 514
## bind ruleset to udp listener
$InputUDPServerBindRuleset mcafee
$UDPServerRun 514
######################## Mcafee ################################

Ensure
1. If you are using a separate template, ensure your base rsyslog.conf does an IncludeConfig of your new file path ($IncludeConfig /etc/rsyslog.d/*.conf)
2. Ensure you restart rsyslogd after you make your changes

0 Karma

Ultra Champion

Some generally useful tips for configuring rsyslog, but apart from the "ensure you restart" I don't see anything in here that would fix his issues. It should work fine without a separate queue, it should work fine without the & ~ (stop command) since this is within a ruleset that has no further actions defined anyway.

While it may be useful to also print facility, port and severity, I would definitely recommend keeping the timestamped filenames, to let rsyslog create a new file every hour. That keeps the files smaller (which splunk likes), makes troubleshooting easier and is also a nicer way of 'rotating' than using logrotate.

Also: as far as I understand from his question, he added this to the main rsyslog config, so no need for using $IncludeConfig. Although I do agree using separate files and including them that way is highly recommendable to keep things manageable.

0 Karma

Ultra Champion

To get the logs to splunk is a separate topic I guess, but to troubleshoot your rsyslog issue:

Did you restart rsyslog after adding this config?
Did you check rsyslog's own logs for errors on startup?
Under what user is rsyslog running?
Does that user have write permissions in the mcafee folder?
Did you check if rsyslog indeed started listening on the configured port(s)?
Did you run a tcpdump to confirm there is indeed syslog messages coming in on the expected port(s)?

0 Karma
Don’t Miss Global Splunk
User Groups Week!

Free LIVE events worldwide 2/8-2/12
Connect, learn, and collect rad prizes
and swag!