Syslog - TCP
Splunk can listen on a TCP port for data coming from the syslog service on one or more hosts. You can use Splunk to gather syslog data from these hosts for easy searching, reporting and alerting.
To get syslog data over TCP, configure Splunk to listen on a network port for incoming syslog data:
1. Go to the Syslog page in Splunk Web.
2. Then, choose "Next" under Syslog data from TCP.
3. On the next page, in the TCP port field, enter the TCP port on which you will accept connections from other systems running syslog.
4. You then decide whether or not to Accept connections from all hosts. Do so by checking either the Yes or No, restrict to one host radio buttons.
If you select No, restrict to one host, another field named Host Restriction appears. Enter the name of one valid host on your network - Splunk will only accept connections from that computer.
5. Optionally, you can tell Splunk to override the default source value for your script, by putting a string into the Source name override field.
6. You can also set the sourcetype of the events generated by this source by choosing From list in the Set sourcetype drop-down, then selecting the desired choice from the Select source type from list drop-down.
You will typically want to set the source type to 'syslog'.
7. Alternatively, you can choose Manually from "Set sourcetype," and then enter a string in the Source type field that appears.
You can usually leave the other fields unchanged, including the fields under the More settings option.
8. Finally, click Save.
9. From the Success page, click Search to start searching. You can enter any term that’s in your data, or you can click on a source, source type or host to see data from the different directories within your syslog directory, the different types of data in those directories, or the different hosts that sent the syslog data in the first place.
For more information on getting data from the network, see "Get data from TCP and UDP ports" in this manual.
Syslog - local
Syslog - UDP
This documentation applies to the following versions of Splunk® Enterprise: 4.2, 4.2.1, 4.2.2, 4.2.3, 4.2.4, 4.2.5, 4.3, 4.3.1, 4.3.2, 4.3.3, 4.3.4, 4.3.5, 4.3.6, 4.3.7, 5.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.5, 5.0.6, 5.0.7, 5.0.8, 5.0.9, 5.0.10, 5.0.11, 5.0.12, 5.0.13, 5.0.14, 5.0.15, 6.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.0.9, 6.0.10, 6.0.11, 6.1, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, 6.1.10