I'm trying to capture syslogs from an Adtran Router in Splunk. i have confirmed that the Adtran is sending syslogs on UDP port 514 to the correct server. I couldn't get Splunk to read them directly. I saw several forum posts stating that it was recommended to send them to Rsyslog anyway, so that if Splunk needed to be restarted the data wouldn't be lost. The link to the documentation page was broken and I cant seem to find it in the documentation.
Unfortunately, I'm stuck using a windows server so much of the help data that relates to Linux is not helpful to me.
I think Rsyslog is set up correctly. Here is what I've done.
Go under "Services" and find the "syslog server" service I've created. Click "test syslog server". Click "send" under test and it tells me I'm successful. Under the message properties tab, its shows the same syslog facility that I have chosen. local0. Under sourcename, however, it has the server name. Not sure if that's right.
Assuming that the service is configured correctly, the ruleset has to be correct. I just took the default rule set and changed the syslog server to the servers local IP.
Therefore, I think rsyslog is set up correctly.
So I think I'm messing up with getting Splunk to correctly read the rsyslog. This seems to be well documented on Linux but I can't seem to find it for Windows.
Any help for a n00b would be appreciated.
... View more