Documentation > Splunk > Admin Manual > syslog

Admin Manual

 


Overview
Setting Up Data Inputs
Authentication
Changing the Way Splunk Processes Your Data
Creating and Using Configuration Bundles
Configuring Your Sources
Splunk-2-Splunk Management
Integration
Managing Your Filesystem
How-To's

syslog

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.

Contents

syslog

Syslog can be configured to receive events from both local and remote sources, and then feed them to Splunk.


The best way to send data from syslog to Splunk is via a FIFO. It offers much higher performance than log files.


First, create a FIFO on your server.


# mkfifo /var/run/splunk-syslog

Next, edit syslog.conf to specify which facility and which priority are sent to your FIFO.


facility.priority | /var/run/splunk-syslog

This example sends all events from facility local5 to Splunk.


local5.* | /var/run/splunk-syslog

This example sends everything to Splunk.


*.* | /var/run/splunk-syslog

Finally, configure Splunk's FIFO input module to load data from the FIFO you've created. Be careful not to send non-syslog data through syslog into Splunk or it may be parsed incorrectly.


For more specific routing rules, consider syslog-ng.


External Links

Retrieved from "http://docs.splunk.com/Documentation/Splunk/2.2.3/Admin/Syslog"

This documentation applies to the following versions of Splunk: 2.1 , 2.2 , 2.2.1 , 2.2.3 , 2.2.6 View the Article History for its revisions.


You must be logged into splunk.com in order to post comments. Log in now.

Was this documentation topic helpful?

If you'd like to hear back from us, please provide your email address:

We'd love to hear what you think about this topic or the documentation as a whole. Feedback you enter here will be delivered to the documentation team.