Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

syslogs for network equipments to forward syslog to splunk indexer

pacifikn
Communicator
‎01-15-2020 10:38 PM

Greetings!!

I would like to ask about Syslog logs for network devices,

I have added new network devices by doing configuration to send logs into Splunk log collector server ,

what I have done:

configuration of network devices to send logs and after configuration, I checked in Splunk Syslog collector server I verified that logs are received well

secondly Splunk configuration In order to collect and index the new data in Splunk, I have done with Splunk configuration input.

before all it was working good with my 4 index

But now after added other the same network devices(Syslog) and modify the "inputs.conf " by adding other devices

Now I faced an issue, where all logs from Syslog sender(network devices) received in Splunk directory, this Splunk Syslog directory is full and I have deleted logs and stop the added devices to send logs,

BUT now all these exercises CAUSE me to not receiving logs in Splunk search GUI,
after bringing them as it is before!

how to troubleshoot this to see logs in Splunk search?
when verifying in Syslog directory I can see logs are received well, but the only problem is that I can't see it in Splunk search GUI? how to fix this, I NEED YOUR HELP ME, thank you

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎01-15-2020 11:56 PM

Hi @pacifikn,
let me understand, correct me if I'm wrong:

  • you have many appliances that send logs to a syslog concentrator;
  • this syslog concentrator writes received logs in files stored in a folder;
  • using a Universal Forwarder (or an Heavy Forwarder?), you read these files and send them to Indexers;
  • your folder now is full so you you deleted the older files;

Why do you stopped to syslog send? This approach is correct.

Eventually you could install on the syslog collector an Heavy Forwarder (a full Splunk instance that forwards all the logs to Indexers) and use it as Syslog collector, so you haven't the problem of the full folder because syslogs are immediately (if network is ok) sent to indexers and you don't need to delete files.

Only one hint: if you have one syslog collector (as your one or using an Heavy Forwarder) you have a Single Point of Failure so, if your syslog collector is down for failure or maintenance, you lose your syslogs.
To solve this problem, you could use two Heavy Forwarders putting in front of them a Load Balancer that distributes traffic between HFs and manages failures; if in your infrastructure you haven't an hardware Load balancer, you can use a DNS configuration.

Ciao.
Giuseppe

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎01-15-2020 11:56 PM

Hi @pacifikn,
let me understand, correct me if I'm wrong:

  • you have many appliances that send logs to a syslog concentrator;
  • this syslog concentrator writes received logs in files stored in a folder;
  • using a Universal Forwarder (or an Heavy Forwarder?), you read these files and send them to Indexers;
  • your folder now is full so you you deleted the older files;

Why do you stopped to syslog send? This approach is correct.

Eventually you could install on the syslog collector an Heavy Forwarder (a full Splunk instance that forwards all the logs to Indexers) and use it as Syslog collector, so you haven't the problem of the full folder because syslogs are immediately (if network is ok) sent to indexers and you don't need to delete files.

Only one hint: if you have one syslog collector (as your one or using an Heavy Forwarder) you have a Single Point of Failure so, if your syslog collector is down for failure or maintenance, you lose your syslogs.
To solve this problem, you could use two Heavy Forwarders putting in front of them a Load Balancer that distributes traffic between HFs and manages failures; if in your infrastructure you haven't an hardware Load balancer, you can use a DNS configuration.

Ciao.
Giuseppe

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎07-07-2021 11:53 PM

HI @pacifikn,

good for you, see next time.

Ciao and happy splunking.

Giuseppe

P.S.: Karma Points are appreciated 😉

0 Karma
Reply
Solved! Jump to solution

pacifikn
Communicator
‎01-16-2020 12:44 AM

Thank you so much gcusello for your quick reply!

That's exactly the problem and this cause me to not see the logs in the search app.

could you help on the following options and guide me on how I could use this way below you mentioned:

"""" Eventually, you could install on the Syslog collector a Heavy Forwarder (a full Splunk instance that forwards all the logs to Indexers) and use it as Syslog collector, so you haven't the problem of the full folder because syslogs are immediately (if network is ok) sent to indexers and you don't need to delete files. """"

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎01-16-2020 01:27 AM

Hi @pacifikn,
To configure an Heavy Forwarder as syslog server, you have to do the following steps:

  • install Splunk on the syslog collector systems (one or two in HA);
  • configure these servers to forward all logs to the indexers [Settings -- Forwarding and Receiving -- Configure Forwarding];
  • analyze and define in an Excel file exactly the flows you have to ingest: sender, protocol, port, sourcetype and index;
  • add Network inputs [Settings -- Data Inputs -- TCP/UDP -- Add input] using the settings defined in the previous step;
  • configure appliances to send syslogs to the syslogs collector using the configurated parameters.

To configure DNS as a Load Balancer see at https://docs.microsoft.com/en-us/windows-server/networking/dns/deploy/app-lb

Ciao.
Giuseppe

Reply
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...