×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
dmed
Engager
Member since: ‎11-26-2021
‎12-04-2021
Community Statistics
Posts 4
Solutions 0
Karma Given 1
Karma Received 0
Member Since ‎11-26-2021
Activity Feed
Topics I've Started
View All

Re: syslog-ng to rsyslog

by in Getting Data In
‎12-03-2021 05:51 AM
‎12-03-2021 05:51 AM
Hi PickleRick, Sorry for the delay. I just want to confirm your config is working fine for me. I appreciate your help.  I'll start using the rsyslog forums at https://thwack.solarwinds.com/product-forums/loggly/ and / or rsyslog.com forums ( if they even exist 🙂 ) going forward... Thanks again!  ... View more

Re: syslog-ng to rsyslog

by in Getting Data In
‎11-28-2021 05:23 AM
‎11-28-2021 05:23 AM
Thanks so much for the very informative reply. I'll try out your suggestions which I'm sure will do the trick 🙂 My setup is such that Logs come in from external clients and all these (including the logs of the local rsyslog server itself)  go to a splunkforwarder.  Well for now it's just the audit logs that are forwarded, but all logs including those of the log server are collected under directories. So in effect the local logs per se, are also going to land up under a directory under syslog-to-splunk. Your config makes good sense to me. Once again, thanks for that. I'll try it out and update here. ... View more

syslog-ng to rsyslog

by in Getting Data In
‎11-27-2021 11:07 AM
‎11-27-2021 11:07 AM
Hi dear splunk community, Can someone help me to convert/translate the following syslog-ng config to the corresponding rsyslog server side config please ? The standard syslog-ng.conf file simply includes the statements below which are in a file in the conf.d dir like so: @include "/etc/syslog-ng/conf.d/*.conf" I'd really appreciate it.  It doesn't have to be perfect or exact or even completely converted, as long as most of it can be  translated...the main concerns being the audit logs and all the rest of the program logs... Thanks so very much,   source s_remote { syslog(port(514), transport(tcp), flags(), max-connections(100),log-fetch-limit(100),log_iw_size(20000)); }; destination d_kern { file("/var/log/syslog-to-splunk/$HOST/kernel.log" create-dirs(yes)); }; destination d_mail { file("/var/log/syslog-to-splunk/$HOST/mail.log" create-dirs(yes)); }; destination d_daemon { file("/var/log/syslog-to-splunk/$HOST/daemon.log" create-dirs(yes)); }; destination d_auth { file("/var/log/syslog-to-splunk/$HOST/auth.log" create-dirs(yes)); }; destination d_cron { file("/var/log/syslog-to-splunk/$HOST/cron.log" create-dirs(yes)); }; destination d_security { file("/var/log/syslog-to-splunk/$HOST/audit.log" create-dirs(yes)); }; # All else. destination d_rest { file("/var/log/syslog-to-splunk/$HOST/program/$PROGRAM.log" create-dirs(yes)); }; filter f_kern { facility(kern); }; filter f_mail { facility(mail); }; filter f_daemon { facility(daemon, user, syslog); }; filter f_auth { facility(auth, authpriv, security); }; filter f_cron { facility(cron); }; filter f_security { facility(kern, auth, authpriv, security, local7); }; filter f_rest { not facility(auth, authpriv, cron, kern, mail, user, security, syslog); }; log { source(s_remote); filter(f_kern); destination(d_kern); }; log { source(s_remote); filter(f_mail); destination(d_mail); }; log { source(s_remote); filter(f_daemon); destination(d_daemon); }; log { source(s_remote); filter(f_auth); destination(d_auth); }; log { source(s_remote); filter(f_cron); destination(d_cron); }; log { source(s_remote); filter(f_security); destination(d_security); }; log { source(s_remote); filter(f_rest); destination(d_rest); };   ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎12-04-2021 01:03 PM
Karma given to
View All