×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
DStalker
New Member
Member since: ‎07-29-2021
‎07-29-2021
Community Statistics
Posts 1
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎07-29-2021
Activity Feed
Topics I've Started
View All

Re: NEWBIE: Splunk as a syslog server

by SplunkTrust in Installation
‎07-29-2021 11:53 PM
‎07-29-2021 11:53 PM
Hi @DStalker, Splunk has inside the function of syslog server and a dedicated app to do this: Splunk Connect for Syslog (https://splunkbase.splunk.com/app/4740/) and it isn't requested programming knowledge but a little Splunk knowledge. To do this, at first you have to define if you want HA or not: if yes you have to use two Heavy Forwarders and a Load Balancer, if not, you need only one Load Balancer. this is important because, as you know, you have to take syslogs when they arrive otherwise they are lost, so you need a system with two servers so at least there's always one of them active, also during failure or maintenence. Anyway, the steps are the following (not HA): make a list of your sources, identifying: source address, source hostname, available protocol (TCP/UDP) configurable ports (default 514, some appliances can set a different outport sone other cannot), open the firewall routes between syslog sources and Heavy Forwarder, install a server: also virtual, possibly Linux, with the normal requirements for Splunk, install Splunk Enterprise: an heavy Forwarder is a Splunk instance where logs are forwarded to other Indexers, configure HF to forward logs to indexers [Settings -- Forwardering and Receiving -- Forward Data]: Forwarding default: Yes Configure Forwarding: insert the addresses of your indexers, install Splunk Connect for Syslog, in Connect for Syslog  configure Inputs to ingest the logs from the listed syslog sources following the instructions in the App, configure your syslog sources to send logs to the HF address using the configured port and protocol, if you can configure the port in your syslog sources, use a different port for each kind of source (e.g. all Fortinet Firewalls on 515, all proxies on 516, etc...), otherwise leave 514 on all the sources. Check the ingestion in Splunk running a simple search index=syslog_index (the index you configured in inputs. If you want HA, it's only different the first part because you have to configure two HFs and the Load Balancer to distribute load between HFs, then you have to use the LB address as destination from your syslog sources. if you search on Google, you can find a lot of documentation and videos about this, e.g.: https://docs.splunk.com/Documentation/Splunk/8.2.1/Data/Monitornetworkports ,   https://www.splunk.com/en_us/blog/tips-and-tricks/splunk-connect-for-syslog-turnkey-and-scalable-syslog-gdi.html , https://www.youtube.com/watch?v=BQU-bsSCXhk ,  Ciao. Giuseppe ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎07-29-2021 02:04 PM