Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Does rsyslog work well with Splunk

dcroteau
Splunk Employee
Splunk Employee
‎03-29-2012 10:52 AM

Does both Enterprise (supported) and free rsyslog support wildcarding?

Does rsyslog work well with Splunk?

Is Rsyslog supported on PowerPC running LINUX?

Tags (1)
0 Karma
Reply

dcroteau
Splunk Employee
Splunk Employee
‎03-30-2012 08:04 AM

First, let me say that there is no "enterprise" version of rsyslog, at least for the time being. There is just one very capable version, but you can purchase support with it (what, of course, I appreciate ;)).

I don't see any reason why rsyslog should not run on PowerPC. Did you try a compile and it failed? If so, please let me know what happened. I do not have a PowerPC environment to test myself.

0 Karma
Reply

christopher_hod
Path Finder
‎03-29-2012 11:24 AM

We use rsyslog. All networking equipment send it's logs to a central syslog server(*) that then uses this rule:

$template DynaFile,"/var/log/syslog/system-%FROMHOST%.log",500000

We then grab them with an inputs.conf that looks like this:

[monitor:///var/log/syslog]
index = syslog
sourcetype = syslog
host_regex = /var/log/syslog/system-(.*).log*

(*) It's actually a VIP that goes to a load balancer, but that's not really important to this discussion.

Reply

eric_budke
Path Finder
‎08-09-2013 07:54 AM

And your FROMHOST doesn't get replaced with the VIP IP/hostname?

0 Karma
Reply

christopher_hod
Path Finder
‎03-29-2012 11:44 AM

I'm not sure what you mean by wildcarding in this context.

But this is a splunk message board and I can only comment on how splunk interacts with rsyslog.

As far as source goes, if you're using syslog, you're not going to get much more than source=syslog anyway.

If you want more specific sourcetypes, I can give you examples of that.

0 Karma
Reply

dcroteau
Splunk Employee
Splunk Employee
‎03-29-2012 11:32 AM

Thanks Mike, With our messages we'd lose the original source if we did it that way. Again, does either rsyslog support wildcarding.

0 Karma
Reply

dcroteau
Splunk Employee
Splunk Employee
‎03-29-2012 11:28 AM

That is rsyslog wildcarding

0 Karma
Reply

Brian_Osburn
Builder
‎03-29-2012 11:16 AM

I'd check the rsyslog web site with regards to what it supports or what it doesn't.

If it's a flavor of *syslog, then Splunk can consume it directly (not recommended in my opinion), or if it can write to a log and then have Splunk consume that log (little more failsafe).

Brian

Reply

dcroteau
Splunk Employee
Splunk Employee
‎03-29-2012 11:20 AM

I wish I could distinguish support for wildcarding on any website, that's why I wanted to run it by the community.

0 Karma
Reply
Get Updates on the Splunk Community!

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Splunk Education Goes to Washington | Splunk GovSummit 2024

If you’re in the Washington, D.C. area, this is your opportunity to take your career and Splunk skills to the ...