Hi, This might not exactly be what you are looking for, but syslog-ng can manage lists that you can use in filters to classify your log messages (for example, to add specific message fields if the host/IP appears in a specific list), using the inlist filter, or add metadata from files. Recent versions of syslog-ng Premium Edition (the commercial version of syslog-ng) can even send log messages to Splunk HEC directly. ... View more

Hi, recent versions of syslog-ng Premium Edition can send log messages to Splunk HEC directly. syslog-ng also has a wildcard file source to monitor files and directories for log messages. ... View more

Hi, here you can find some tips: https://support.oneidentity.com/technical-documents/syslog-ng-premium-edition/7.0.12/collecting-log-messages-from-udp-sources But unless there is a special reason why you must use UDP, I'd suggest using TCP instead. ... View more

Hi, You probably do not need both the universal forwarder and syslog-ng, you can forward logs to Splunk and third-party systems with syslog-ng alone. ... View more

Hi, Try running tcpdump on the server to see if any netscaler messages reach the server (but fail to reach syslog-ng for some reason), and try running syslog-ng in verbose mode to see if it shows any error messages. ... View more

Hi, in your syslog-ng configuration, change create_dirs (no); to yes, otherwise syslog-ng will use only existing directories. If that doesn't help, check your SELinux settings and adjust them if needed to permit syslog-ng to write in the directories you want to. ... View more

Depending on the amount of messages, if you are using syslog-ng, you can send messages directly to Splunk, see syslog-ng and HEC: Scalable Aggregated Data Collection in Splunk ... View more

Thanks a lot! ... View more

Hi garethatiag, I've seen that you already solved the problem, but would be interested in what information was missing from the syslog-ng manual, or what problems/difficulties you had with it. Were you missing Splunk-specific information, or something more general? Your feedback would be greatly appreciated, to know what we could improve in the syslog-ng documentation. Kind Regards, Robert ... View more

Another possibility is thaty the user doesn't have write permission to /dev, so it cannot remove the stale log socket, which causes the bind to fail. You can create the log socket somewhere else (for example, under /var somewhere) and point a symlink to it from /dev. Then you can give permissions to user to the directory where the log socket resides. ... View more

Hi, this should work, but it's possible that you hit a bug. Which version of syslog-ng are you using? ... View more

Sure! (I've included a link in my earlier reply, but it seems it was moderated 🙂 ) The following log statement drops all debug level messages without any further processing. filter demo_debugfilter { level(debug); }; log { source(s_all); filter(demo_debugfilter); flags(final); }; ... View more

Hi, Create a log path that does not have a destination, just a source, a filter (that matches the messages you want to drop), and the final flag. For details, see the syslog-ng Administrator Guide Kind Regards, Robert Fekete syslog-ng documentation maintainer ... View more

Hi, sorry for not getting back to you earlier. * simple e-mail alerting from syslog-ng * you can also get daily emails, but that's probably difficult to get and overkill to do in syslog-ng (you need to use a pattern database to identify the related messages, and use message correlation and triggered actions), see https://www.balabit.com/documents/syslog-ng-ose-3.5-guides/en/syslog-ng-ose-guide-admin/html/chapter-patterndb.html For using syslog-ng with splunk, there is a whitepaper for the commercial version of syslog-ng, but most of it applies to the open source version as well, so it might be interesting for you: https://www.balabit.com/documents/pdf/syslog-ng-pe-whitepaper-splunk.pdf Regards, Robert ... View more

Hi, you can have Splunk read the logfiles you create with syslog-ng, or you can have syslog-ng to send the logs to Splunk via the network. Regarding the e-mail alert, that can be done with syslog-ng (not too old versions have an smtp destination), and probably with splunk as well. HTH Regards, Robert Fekete syslog-ng documentation maintainer ... View more