Syslog Integration With Splunk
Hi Guys !!!!
We all know that Splunk can take the data from any types of Sources. We can directly take the data from any application server by installing Universal Forwarder. Also, you can take data through HEC (Http Event Collector) . But today we will show you how to take data from Syslog Server using Network Input Option. We can take the data from Syslog Server using Rsyslog Or using any third-party software. We will show you how to take network input from Syslog Server using Syslog-NG ( a third party software ).
There are two ways in the Network Input Option In Splunk.
1) UDP Input
2) TCP Input
See we have 4 servers. We want to take the data from the syslog server to idx4.
NETWORK INPUT ( Via UDP )
Step 1: – Login To the hf ( Heavy Forwarder ) server by your credentials.
Step 2: – Navigate to Settings >> Data Inputs.
Step 3: – You can see the UDP option and then click on Add New.
Step 4: – Give the port number and select UDP. We have given 514 port.
Step 5:- Create a new sourcetype for incoming logs.
Step 6: – We had created an index in the HF and IDX server.
Step 7:– Select the index name where you want to store the data. We have given index name as syslog-integration.
Step 8: – Review all the settings once.
Step 9:– Click on Submit to save the option.
Step 10: – Open the CLI of Syslog server where we had already installed syslog-ng. Enable sylog-ng.
# systemctl enable syslog-ng
Step 11: – Then navigate to the below path.
# cd /etc/syslog-ng
Step 12: – Run the below command to see the list of files and directories.
# ls
Step 13: – Now open the syslog-ng.conf to edit the configuration file.
# vi syslog-ng.conf
Step 14: – Add the below-listed lines to forward the data.
We have to write 3 portions inside the file.
In the source portion, you have to give the file path, which you want to send into the Splunk for monitoring.
In the destination portion, you have to mention the IP address of the Heavy Forwarder along with the transport protocol.
In the log portion, you have to give the entry of source and destination which you have created. Save the file.
Step 15: – Restart syslog-ng service to effect the changes.
# systemctl restart syslog-ng
Step 16: – Now into the Search Head you can see the data coming from the syslog server via UDP protocol.
NETWORK INPUT ( Via TCP )
Step 1: – Login To the hf ( Heavy Forwarder ) server by your credentials.
Step 2: – Navigate to Settings >> Data Inputs.
Step 3: – You can see the TCP option and then click on Add New.
Step 4: – Give the port number and select TCP. We have given 514 port.
Step 5:- Create a new sourcetype for incoming logs.
Step 6: – We had created an index in the HF and IDX server.
Step 7:– Select the index name where you want to store the data. We have given index name as syslog-integration.
Step 8: – Review all the settings once.
Step 9:– Click on Submit to save the option.
Step 10: – Open the CLI of Syslog server where we had already installed syslog-ng. Enable sylog-ng.
# systemctl enable syslog-ng
Step 11: – Then navigate to the below path.
# cd /etc/syslog-ng
Step 12: – Run the below command to see the list of files and directories.
# ls
Step 13: – Now open the syslog-ng.conf to edit the configuration file.
# vi syslog-ng.conf
Step 14: – Add the below-listed lines to forward the data.
We have to write 3 portions inside the file.
In the source portion, you have to give the file path, which you want to send into the Splunk for monitoring.
In the destination portion, you have to mention the IP address of the Heavy Forwarder along with the protocol and port.
In the log portion, you have to give the entry of source and destination which you have created. Save the file.
Step 15: – Restart syslog-ng service to effect the changes.
# systemctl restart syslog-ng
Step 16: – Now into the Search Head you can see the data coming from the syslog server via TCP protocol.
Hope, this has helped you in achieving the below requirement without fail:
Syslog Integration With Splunk
Happy Splunking !!
How to install syslog -ng server in google cloud