Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to find out if the host is forwarding logs by syslog or UF?

MayurMangoli
Loves-to-Learn Everything
‎05-15-2023 05:07 AM

We have multiple devices forwarding the logs to Splunk which syslog mechanism and UF, as it's difficult to identify the forward mechanism used for those devices. is there any way to identify the syslog forwarding mechanism on port 514 ?

Labels (1)
Labels
0 Karma
Reply

MayurMangoli
Loves-to-Learn Everything
‎05-15-2023 05:22 AM

The logs are forwarded by host is with the 2 mechanism one with syslog configuration at host end using port 514 and the  other is with installing the UF on host to forward the logs on port 9997, is there any way to find that host details forwarding by these 2 mechanism.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎05-15-2023 05:29 AM

Hi @MayurMangoli,

a I said, you can use the source field to identify if the source is an udp ot tcp syslog e.g. on port 512 or a file from a Universal Forwarder.

It's more difficoult if you're using a rsyslog or a syslog-ng server to take syslogs because they write syslogs in a file so you cannot distinghuish them.

My hint is to always have a perimeter (e.g. in a lookup or in an external Excel File) containing the monitoring perimeter in which are listed all the host under monitoring and also with the way to ingest logs (e.g. syslog or UF, protocol, port, etc...).

All my projects start with the perimeter definition and analysis, that you can also use to check the data flow status.

Ciao.

Giuseppe

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎05-15-2023 05:16 AM

Hi @MayurMangoli,

what do you mean with "syslog mechanism"?

the port and protocol are defined in the source of your events.

The way to ingest syslogs is defined by your architecture.

The forwarders isn't still defined, but I required this feature in Splunk ideas (https://ideas.splunk.com/ideas/EID-I-1731) and it's "under consideration" if you think that's useful, please upvote it.

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...