Capture Forwarded syslog events from a syslog serv...

ngcgoon · ‎07-29-2010

I have setup a forwarder on a syslog-ng server to an indexer which is my webhead. I have setup an index (host-syslog) and my data input is /var/log/messages tied to that index and either the default app or unix.(The platform is linux). I have also setup a light forwarder on another syslog-ng server forwarding the events to my indexer. Somehow I can't search the webhead for events from a fowarder unless I am missing something. So on the indexer I use: host="syslog-server-host1" source ="/var/log/messages" and sourcetype = syslog. When this runs I do not get any current events and I get very few events at that. I have over 10 million lines of syslog-ng entries before the log rotates on average. Any suggestions on setup or searching?

In is there a way to make forwarded events goto a specific index on the index server? I'm using the current version 4.1.3 for linux.

Thanks any help is appreciated.

kristian_kolb · ‎06-14-2011

Are you sure that you are actually searching in your dedicated syslog-index? You didn't specifically mention it.

index=host-syslog sourcetype=syslog host=syslog-server-host1 etc etc.

BR,

Kristian

Genti · ‎07-30-2010

it should be easy to achieve by the following (or similar input stanza)
[monitor:///var/log/messages/]
sourcetype = syslog
index = chosen-one

It would be beneficial to show us what the current configuration is so that we can take a peak and if needed, edit the necessary bits.

Cheers!

Capture Forwarded syslog events from a syslog server

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases