Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- About matcher123
matcher123
Loves-to-Learn Everything
Member since:
04-18-2024
04-25-2024
Community Statistics
| Posts | 6 |
| Solutions | 0 |
| Karma Given | 0 |
| Karma Received | 0 |
| Member Since | 04-18-2024 |
Activity Feed
- Posted Splunk Connect for Syslog on Getting Data In. 04-25-2024 12:09 AM
- Tagged Splunk Connect for Syslog on Getting Data In. 04-25-2024 12:09 AM
- Tagged Splunk Connect for Syslog on Getting Data In. 04-25-2024 12:09 AM
- Tagged Splunk Connect for Syslog on Getting Data In. 04-25-2024 12:09 AM
- Tagged Splunk Connect for Syslog on Getting Data In. 04-25-2024 12:09 AM
- Tagged Splunk Connect for Syslog on Getting Data In. 04-25-2024 12:09 AM
- Posted Re: Splunk Connect for Syslog on Getting Data In. 04-19-2024 04:50 AM
- Posted Re: Splunk Connect for Syslog on Getting Data In. 04-19-2024 03:13 AM
- Posted Re: Splunk Connect for Syslog on Getting Data In. 04-19-2024 12:28 AM
- Posted Re: Splunk Connect for Syslog on Getting Data In. 04-18-2024 08:38 PM
- Posted Splunk Connect for Syslog on Getting Data In. 04-18-2024 07:12 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 |
04-25-2024
12:09 AM
I have a sc4s deployment running in an ec2 instance. I followed the documentation provided here https://splunk.github.io/splunk-connect-for-syslog/main/. I have a c# application running inside docker of the same host where sc4s is running. My application is able to send syslog data on port 514 and the same is visible in Splunk Cloud dashboard under sourcetype as sc4s:fallback I am running the same application in my windows local machine trying to send data to the same port and linux machine ip. Data is sent to the host machine because I can see it in the TCP dump but sc4s is not ingesting the data into the Splunk Cloud. What should be my next step in debugging. I have tried everything from my side but still not able to figure out what the issue is my sc4s deployment
... View more
04-19-2024
04:50 AM
Could I get by creating Simple Log path by port (https://splunk.github.io/splunk-connect-for-syslog/main/sources/base/simple/) ?
... View more
04-19-2024
03:13 AM
So my application sends data in RFC5424 format. It a test c# application running my local which basically sends data through a udp client in RFC5424 format to an ec2instance which runs sc4s inside docker. The logs don't help because I don't see anything after starting goss starting syslog-ng I am not aware if I have to configure anything in splunk cloud
... View more
04-19-2024
12:28 AM
When I run echo '<14>1 2024-04-19T12:34:56.789Z myhostname myapp 12345 - [exampleSDID@32473 iut="3" eventSource="application" eventID="1011"] Something happened through echoing.' > /dev/udp/127.0.0.1/514 I am able to see it in Splunk. But when my application is sending syslog on port 514, it does not appear on Splunk although the same message is visible when I run TCP dump on port 514. What would I be missing here? To reply to your question, I believe I have followed the steps in runtime configuration (https://splunk.github.io/splunk-connect-for-syslog/main/gettingstarted/getting-started-runtime-configuration/)
... View more
04-18-2024
08:38 PM
WHen I have uncommented the line SC4S_DEST_SPLUNK_HEC_DEFAULT_TLS_VERIFY=no. I get the below logs when I run the command journalctl -b -u sc4s Apr 18 13:53:40 ip-MachineIP systemd[1]: Starting SC4S Container... Apr 18 13:53:41 ip-MachineIP docker[12242]: latest: Pulling from splunk/splunk-connect-for-syslog/container3 Apr 18 13:53:41 ip-MachineIP docker[12242]: Digest: sha256:f8ff916d9cb6836cb0b03b578f51a3777c7a4c84e580fdad9b768cdc7ef2910e Apr 18 13:53:41 ip-MachineIP docker[12242]: Status: Image is up to date for ghcr.io/splunk/splunk-connect-for-syslog/container3:latest Apr 18 13:53:41 ip-MachineIP docker[12242]: ghcr.io/splunk/splunk-connect-for-syslog/container3:latest Apr 18 13:53:41 ip-MachineIP systemd[1]: Started SC4S Container. Apr 18 13:53:42 ip-MachineIP docker[12254]: SC4S_ENV_CHECK_HEC: Splunk HEC connection test successful to index=main for sourcetype=sc4s:fallback... Apr 18 13:53:43 ip-MachineIP docker[12254]: SC4S_ENV_CHECK_HEC: Splunk HEC connection test successful to index=main for sourcetype=sc4s:events... Apr 18 13:53:47 ip-MachineIP docker[12254]: syslog-ng checking config Apr 18 13:53:47 ip-MachineIP docker[12254]: sc4s version=3.22.3 Apr 18 13:53:48 ip-MachineIP docker[12254]: starting goss Apr 18 13:53:50 ip-MachineIP docker[12254]: starting syslog-ng I have created all the indexes mentioned in the document (https://splunk.github.io/splunk-connect-for-syslog/main/gettingstarted/getting-started-splunk-setup/) I cannot find the file /opt/sc4s/local/context/splunk_index.csv I am able to curl and send message to splunk using -k flag in my curl command. Do I need to whitelist if I am able to curl?
... View more
04-18-2024
07:12 AM
I was following the documentation of splunk connect for syslog so that I could ingest syslog in Splunk Cloud setup. I cannot turn of SSL option in my HEC global settings. So I did not uncomment the below line I created the file /opt/sc4s/env_file with the contents.
SC4S_DEST_SPLUNK_HEC_DEFAULT_URL=https://your.splunk.instance:8088 SC4S_DEST_SPLUNK_HEC_DEFAULT_TOKEN=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
#Uncomment the following line if using untrusted SSL certificates
#SC4S_DEST_SPLUNK_HEC_DEFAULT_TLS_VERIFY=no
I started my sc4s.service ( systemd service created by following the doc). I started to get exception Followed this for splunk cloud. When sc4s service is started I get error below curl: (60) SSL certificate problem: self-signed certificate in certificate chain More details here: https://curl.se/docs/sslcerts.html curl failed to verify the legitimacy of the server and therefore could not establish a secure connection to it. To learn more about this situation and how to fix it, please visit the web page mentioned above. SC4S_ENV_CHECK_HEC: Invalid Splunk HEC URL, invalid token, or other HEC connectivity issue index=main. sourcetype=sc4s:fallback Startup will continue to prevent data loss if this is a transient failure. If I uncomment the line, I don't see the exception anymore but I fail to get any message when I
search index=* sourcetype=sc4s:events "starting up" as suggested in the documentation. No sample data when I run
echo “Hello SC4S” > /dev/udp/<SC4S_ip>/514
Please let me know what I am missing in the setup so that I can proceed forward
... View more
Labels
- Labels:
-
HTTP Event Collector
-
Linux
-
syslog
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
04-25-2024
05:55 AM
|
