Syslog - TCP/UDP
Splunk Enterprise can listen on a TCP or UDP port for data coming from the syslog service on one or more machines. You can get syslog data from these hosts for easy searching, reporting and alerting.
To get syslog data over TCP or UDP, configure Splunk Enterprise to listen on a network port for incoming syslog data:
A. Go to the Add New page
Add a network input from the Add Data page in Splunk Web. See "How do you want to add data?" in this manual.
You can get there through two routes:
- Splunk Home
- Splunk Settings
Via Splunk Settings:
1. Click Settings in the upper right-hand corner of Splunk Web.
2. In the Data section of the Settings pop-up, click Data Inputs.
3. Pick TCP or UDP.
4. Click the New button to add an input.
Via Splunk Home:
1. Click the Add Data link in Splunk Home.
2. Click Monitor to monitor a network port on the local machine, or Forward to receive network data from another machine.
Note: Forwarding a file requires additional setup.
3. If you selected Forward, choose or create the group of forwarders you want this input to apply to. See "Forward data" in this manual.
4. Click the green Next button.
B. Specify the network input
1. In the left pane, click on TCP / UDP to add an input.
2. To choose between a TCP or UDP input, click either the TCP or UDP button.
2. In the Port field, enter a port number.
Note: The user you run Splunk Enterprise as must have access to the port. On a stock Unix system, you must run Splunk Enterprise as root to listen on a port below 1024.
3. In the Source name override field, enter a new source name to override the default source value, if necessary.
Important: Consult Splunk Support before changing this value.
4. If this is a TCP input, you can specify whether this port should accept connections from all hosts or one host in the Only accept connections from field.
- If you only want the input to accept connections from one host, enter the host name or IP address of the host. You can use wildcards to specify hosts.
5. Click Next to continue to the Input Settings page.
C. Specify input settings
The Input Settings page lets you specify source type, application context, default host value, and index. All of these parameters are optional.
1. Set the Source type. This is a default field added to events. Splunk Enterprise uses the source type to determine processing characteristics, such as timestamps and event boundaries. For information on overriding Splunk's automatic source typing, see "Override automatic source type assignment" in this manual.
2. Set the Host name value. You have several choices for this setting:
- IP. Sets the input processor to rewrite the host with the IP address of the remote server.
- DNS. Sets the host to the DNS entry of the remote server.
- Custom. Sets the host to a user-defined label.
Learn more about setting the host value in "About hosts".
- Note: Host only sets the host field in the resulting events. It does not direct Splunk Enterprise to look on a specific host on your network.
3. Set the Index that Splunk Enterprise should send data to for this input. Leave the value as "default", unless you have defined multiple indexes to handle different types of events. In addition to indexes for user data, Splunk Enterprise has a number of utility indexes, which also appear in this dropdown box.
4. Click the green Review button.
D. Review your choices
After specifying all your input settings, you can review your selections. Splunk Enterprise lists all options you selected, including but not limited to the type of monitor, the source, the source type, the application context, and the index.
Review the settings. If they do not match what you want, click the gray < button to go back to the previous step in the wizard. Otherwise, click the green Submit button.
Splunk Enterprise then loads the "Success" page and begins indexing the specified network input.
For more information on getting data from the network, see "Get data from TCP and UDP ports" in this manual.
Files and directories - remote
Windows event logs - local
This documentation applies to the following versions of Splunk® Enterprise: 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.2.8, 6.2.9, 6.2.10, 6.2.11, 6.2.12, 6.2.13, 6.2.14, 6.2.15, 6.3.0