syslog server set-up

test_splunk15 · ‎05-15-2020

Hi,

As a temporary measure (for 3 months), we have been asked to set-up one of the splunk server (HF) to work as syslog server which should receive logs from trend for security events.

I have gone through few URLs and pages from other questions but couldn't see end-to-end set-up, reason being I can't see any service with syslog in my server as such but by default we have rsyslog service running (I've configured and tested between UB as server and HF as client but however I've been asked to use syslog instead rsyslog for temp purpose).

For my local testing, I am trying to test my UB as server and HF as client before we actually gets logs from trend (Which will be our actual client), in client (We're asked to use TCP only no UDP) what are all settings required (where to configure server details )again as I said I dont see anything specific to syslog but rsyslog (is this valid usecase? )

however port I've enabled under /etc/services as :
syslog myport/tcp #syslogclient

From server side (in UB) configured inputs.conf with the client info.

any leads on specifically on syslog configurations ( also with TCP we will have data lose with this mechanism?) any documentation link would be helpful.

Thanks.

test_splunk15 · ‎05-15-2020

for syslog

service syslog restart
Redirecting to /bin/systemctl restart syslog.service

Failed to restart syslog.service: Unit not found.

in this scenario, splunk will accept from rsyslog or syslog-ng (client) or server side too we should have the respective rsyslog/ syslog-ng conf