How to start indexing a new syslog host?

dritjon · ‎10-14-2022

Bear with me as this is the first time im doing this.

I configured a vmware host to send its events via syslog to splunk. It is working. Raw logs are stored in /opt/syslog/192.168.x.x in four different types (local, daemon logs etc)

Now, how do I index these logs? How do I create a new index=vmware which will start index raw logs and I can start searching?

Googled a bit but I cant find a step-by-step tutorial

gcusello · ‎10-14-2022

Hi @dritjon,

let me understand: you configured a syslog-ng or anotehr kind of syslog server that writes the received logs in files of the above folder, is it correct?

The second question is: syslog server in on the same server where Splunk is installed or in a different one?

If in the same server you have to:

by GUI create a new index (better) or use an existing one (e.g. main) [Settings -- Indexes -- new Index],
by GUI create a new input [Settings -- Data inputs -- Files & Directories -- New Local File & Directory]
use your logs in searches

if in different servers, you have to:

on Splunk Server Configure receiving [Settings -- Forwarding and receiving - Receiving]
on Splunk Server by GUI create a new index (better) or use an existing one (e.g. main) [Settings -- Indexes -- new Index],
install a Universal Forwarder on the syslog server
configure Universal Forwarder to send data to Splunk (https://docs.splunk.com/Documentation/SplunkCloud/latest/Forwarding/Configureforwarderswithoutputs.c...)
configure input on this server (for more infos see at https://docs.splunk.com/Documentation/Splunk/9.0.1/Data/Usingforwardingagents and https://docs.splunk.com/Documentation/Splunk/9.0.1/Data/Monitorfilesanddirectories
on Splunk Server use your logs in searches

Ciao.

Giuseppe

How to start indexing a new syslog host?

indexer

search head

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?