Documentation > Splunk > Admin Manual > syslog-ng

Admin Manual

 


Overview
Setting Up Data Inputs
Authentication
Changing the Way Splunk Processes Your Data
Creating and Using Configuration Bundles
Configuring Your Sources
Splunk-2-Splunk Management
Integration
Managing Your Filesystem
How-To's

syslog-ng

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.

Contents

syslog-ng

Syslog-ng ("next generation") goes beyond standard syslog . It accepts and sends both TCP and UDP input and has four types of rules: source, filter, destintation and log.


As an example, this rule configures a source that reads remote syslog events on port 514 UDP: 


source src_udp { udp(ip (0.0.0.0) port(514)); };

Then, add a filter for events that match MSWinEventLog: 


filter f_windows { match("MSWinEventLog"); };

Next, add a FIFO destination. 


destination winFIFO { pipe("/var/log/splunk/syslog-ng/winFIFO"); };

Finally, this last rule will send all MSWinEventLog events that come in on port 514 to a FIFO from which Splunk can load them at high speed. 


log { source(src_udp); filter(f_windows); destination(winFIFO); };

Configure Splunk's syslogFIFO input module to load the events from the FIFO. You can add regular expressions to create meta data values such as serverity:: for each event.


External Links

Retrieved from "http://docs.splunk.com/Documentation/Splunk/2.2.1/Admin/Syslogng"

This documentation applies to the following versions of Splunk: 2.1 , 2.2 , 2.2.1 , 2.2.3 , 2.2.6 View the Article History for its revisions.


You must be logged into splunk.com in order to post comments. Log in now.

Was this documentation topic helpful?

If you'd like to hear back from us, please provide your email address:

We'd love to hear what you think about this topic or the documentation as a whole. Feedback you enter here will be delivered to the documentation team.

Feedback submitted, thanks!