Refine your search:

how to get fifo to be sourceType=syslog?

1

Greetings experts,

I am using syslog-ng and Splunk on the same box. I have configure syslog-ng to pipe the incoming syslogs to a FIFO and get Splunk to read the FIFO.

Splunk can read and index the FIFO fine but the sourceType is unkown and I am trying to get Splunk to recognize the data as sourceType syslog.

Can this be done? What needs to be modified?

I have tried to configure the /$SPLUNK_HOME/etc/modules/input/FIFO/config.xml file but this did not seem to get the sourceType changed.

Any help would be greatly appreciated.

Bear

asked 12 Jul '10, 16:46

bbear's gravatar image

bbear
914
accept rate: 0%

2 Answers:
oldestnewestmost voted
1

A couple of things to point out. (This may vary slightly based on splunk version)

I don't think you should ever have to mess with the etc/modules/... folder so I would recommend undoing any changes you made there.

To set the sourcetype, you should be able to simply set the "sourcetype" parameter in your input stanza. So your inputs.conf entry should look something like this:

[fifo:///var/path/to/fifo]
sourcetype = syslog

I should point out that splunk does not recommend the usage of fifo anymore. So I would suggest either (1) use syslog-ng to write to files and have splunk pick up those files, this has the advantage of protecting you against losing events whenever splunkd is restarted, or (2) if short outages (due to restarts) are not a problem for you then you can configure splunk to listen on a TCP (or UDP) port and have syslog-ng forward your events to that port. (You would use the same sourcetype=syslog option for that input as well.)

link

answered 12 Jul '10, 17:18

Lowell's gravatar image

Lowell ♦
9.6k637
accept rate: 40%

Thanks for the help and advice. I am experimenting with what is easiest and best so I removed the FIFO and went back to reading the udp port.

(14 Jul '10, 18:21) bbear
0

OK, I figured it out.

I needed to add the sourcetype = syslog to my inputs.conf file under the fifo config.

link

answered 12 Jul '10, 17:16

bbear's gravatar image

bbear
914
accept rate: 0%

Post your answer
toggle preview

Follow this question

Log In to enable email subscriptions

RSS:

Answers

Answers + Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

learn more about Markdown

Tags:

×185

Asked: 12 Jul '10, 16:46

Seen: 903 times

Last updated: 12 Jul '10, 17:18

Related questions

Syslog-ng FIFO with Splunk

Capture Forwarded syslog events from a syslog server

universal forwarder vs. dedicated rsyslog/syslog-ng servers to forward syslog to splunk indexer

Is there a way to maintain the source IP of the UDP syslog packet when forwarding to a 3rd party syslog listener?

Syslog Priority Levels Stripped for UDP and TCP Syslog Messages

Syslog Header In Output To A Syslog Server

Syslog segregation and how pasing works when it is a syslog?

Can I prevent the default index-time extraction for the "host" field to occur for events of the "syslog" sourcetype?

Setting "sourcetype" On Syslog Sent from Viprion

Copyright © 2005-2012 Splunk, Inc. All rights reserved.