Join the Conversation
- Find Answers
- :
- Splunk Products
- :
- Splunk Enterprise
- :
- Having Syslog logs into SPLUNK
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We are in the process of data onboarding.
We managed to deploy a distributed architecture in which we have 3 indexers, 3 search, mastercluster, deployer, deployment, and 2 intermediate forwarders.
On my syslog server, I receive logs from the firewall through syslog port 10514 and I managed to install a forwarder into my syslog server connected to my deployment server. and on my forwarder configuration file, I connect to all 2 intermediate forwarders
Now help me to finish this task, how can I manage to see the firewall logs in my Splunk? What do you think I should edit into my syslog server? Please remember I don't write the syslog logs(firewall) into a file. Its onstream logs
My forwarder inputs.conf file|
[udp://514]
connection_host = ip
index = tcra_firewall_idx
sourcetype = tcra:syslog:log
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
It sounds like you've made great progress, nice one.
There are multiple designs and opinions out there regarding getting syslog into Splunk. It's up to you to decide what's best.
To get you started there are tools such as Splunk Connect For Syslog which provides an "all in one" feel, you can also use a syslog service such as rsyslog or syslog-ng to listen for your logs and cache them to disk and then forward them via a monitor stanza in inputs.conf.
However, if you want Splunk to listen directly, here is an example inputs.conf that you can tweak for your deployment:
[udp://10514]
disabled = false
connection_host = ip
sourcetype = <<firewall_product>>
index = main
For sourcetype, look on Splunkbase for your firewall vendor to check if there is an appropriate TA that you can use for field extractions. For example palo-alto firewall would be pan_log.
For index, pick an appropriate index to suit your needs.
Finally, inputs.conf can either be deployed within an app (recommended) or directly under /opt/splunk/etc/system/local/
Also, make sure that 10514 is permitted on the local firewall.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the help
I see the logs now,
I tried to use a different port to take the logs from syslog conf file.
source s_network {
udp(port(10514));
};
destination d_splunk {
udp("localhost" port(11514));
};
log {
source(s_network);
destination(d_splunk);
};
For this now I see the logs...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@Tom_Lundie what about the syslog configuration? what should I do with it?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm not sure what you're stuck with.
Ideally, would need to see your current configurations and error messages to support.
What configuration file(s) are you stuck with?
Are your _internal logs reaching the Indexers?
Are you getting any errors?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you so much for your help.
Am new to Splunk and I want really bad to master it. I will go and check the config as you said and I will let you know.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
It sounds like you've made great progress, nice one.
There are multiple designs and opinions out there regarding getting syslog into Splunk. It's up to you to decide what's best.
To get you started there are tools such as Splunk Connect For Syslog which provides an "all in one" feel, you can also use a syslog service such as rsyslog or syslog-ng to listen for your logs and cache them to disk and then forward them via a monitor stanza in inputs.conf.
However, if you want Splunk to listen directly, here is an example inputs.conf that you can tweak for your deployment:
[udp://10514]
disabled = false
connection_host = ip
sourcetype = <<firewall_product>>
index = main
For sourcetype, look on Splunkbase for your firewall vendor to check if there is an appropriate TA that you can use for field extractions. For example palo-alto firewall would be pan_log.
For index, pick an appropriate index to suit your needs.
Finally, inputs.conf can either be deployed within an app (recommended) or directly under /opt/splunk/etc/system/local/
Also, make sure that 10514 is permitted on the local firewall.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
[Puzzles] Solve, Learn, Repeat: Matching cron expressions
Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass
May 2026 Splunk Expert Sessions: Security & Observability
