Re: syslog report from an externan DB

lcunha · ‎01-09-2012

Hi,

i am using an mysql database to store the syslog logs. Can splunk work with this and produce syslog reports and analisys?

rgaube · ‎05-31-2017

By now the Splunk app DB connect (https://docs.splunk.com/Documentation/DBX/3.0.3/DeployDBX/AboutSplunkDBConnect) could be used to pull out the syslog data from the database.

dwaddle · ‎01-09-2012

It would take some work, but yes. Splunk does not natively read out of MySQL databases, and it cannot use them for storage. Splunk uses its own on-disk data structure to store log data, and reads out of it search time. So you would wind up storing all of your syslogs twice - once in mysql and once in Splunk.

You would have two ways of getting your data into Splunk -- the easiest would be to have whatever is putting it into mysql to also write to flat files which Splunk could ingest. Alternately, you could write a script that pulls events out of MySQL and feeds them into Splunk (this could be the more difficult path)

Ayn · ‎01-09-2012

No, not without significant effort. Splunk isn't designed to read data from an external database in that way - it has its own database (its "index") which it operates on that is built specifically for Splunk's purposes. You could of course write a script that pulls everything out of the database into Splunk's own index but you'd just end up with the same data in two places.

syslog report from an externan DB

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?