On my old setup I had all syslogs going to syslog on the Splunk server, but now I'm doing a fresh setup with Ubuntu 9.10 servers with Splunk v4.1 and rsyslog v4.
I searched and found that I should can a receiving port, 2010, in "Manager » Forwarding and receiving » Receive data", and also added the following line in /etc/rsyslog.conf on the sending server and restarted rsyslog:
*.* @@192.168.10.7:2010;SyslFormat
Splunk never receives anything from the remote server with this setup. Is there something I'm missing here?
TIA, Cotton
Also, it won't let me add 'rsyslog' or 'receiving' tags...
* new users can't create tags; 'rsyslog forwarding' are new tags
This should probably be posted as a separate question.
I recommend using a forwarder for multiple reasons - chiefly for reliability. See this answer: http://answers.splunk.com/questions/1114/what-happens-to-my-events-at-splunk-light-forwarder-when-th....
Also, you can still use the Splunk LWF. The following is what you are losing, none of which - with the exception of fschange - will interfere with the unix app: http://www.splunk.com/base/Documentation/latest/Admin/Moreaboutforwarders
It was the "SyslFormat" part at the end of that rsyslog.conf file, it should have been:
*.* @@192.168.10.7:2010;
Forwarding and receiving is intended for receiving from another Splunk instance (usually a Splunk forwarder). You want to go to Manager » Data Inputs and open a udp port, or tcp if that's an option for rsyslog.
I have tried that also, restarting splunk of course, with no results.
Any other ideas?