How Splunk Enterprise handles syslog data over UDP
Splunk Enterprise can act as a syslog server or a syslog message sender. If you have Splunk Cloud, you cannot configure your deployment as a syslog server or a syslog message sender, but you can configure the Splunk Universal Forwarder to listen on a UDP network port and forward data to your Splunk Cloud deployment.
While it is possible to configure Splunk Enterprise to receive syslog events directly, refrain from doing so for the following reasons:
- Splunk best practice involves setting up a separate machine that runs a syslog service to handle syslog tasks
- Splunk Enterprise modifies syslog data by default as part of the indexing process (it assigns a timestamp and a host to the event.)
- Syslog data streams to only one Splunk Enterprise instance in this scenario. In a deployment with multiple indexers, you must perform additional work to distribute the data across those indexers
- If Splunk Enterprise fails for any reason, any syslog messages that were sent during the downtime would be irrecoverably lost
Do not substitute Splunk Enterprise for a syslog server in regular use unless you have no other options.
If you must retain raw syslog data (for example, a data retention policy requires access to untouched events), consider using a tool such as
syslog-ng to simultaneously save the raw data to a log file and forward events to your Splunk deployment. This gives you the added advantage of indexing the log file later if you want.
See the diagrams later in this topic for a description of how Splunk Enterprise handles syslog events over UDP.
How Splunk Enterprise handles syslog inputs
When you configure a UDP network input to listen to a syslog in Splunk Enterprise, any syslog events that arrive through the input receive a timestamp and connected host field. Splunk Enterprise prepends these fields to each event before indexing.
You can change this behavior by setting the
no_appending_timestamp attribute in inputs.conf.
If the data contains a syslog header, Splunk Enterprise strips it out unless you set the
no_priority_stripping attribute in the stanza.
Splunk Enterprise does not modify TCP packets in this fashion. If you send syslog data over TCP, Splunk Enterprise does not strip priority information from the events. It does, however, prepend a host name and time stamp to the event unless you tell it not to.
How Splunk Enterprise handles syslog outputs
Splunk Enterprise can also forward events to another syslog server. When it does, it prepends the priority information to the event so that the downstream syslog server can translate the events properly.
When the event reaches the downstream syslog server, that host prepends a timestamp, priority, and connected host name, which is the Splunk Enterprise instance.
You can also prepend a timestamp and host name to the event at the time you forward the event to the syslog server.
How Splunk Enterprise moves syslog events when you configure it to use syslog source type
The following diagram shows how Splunk Enterprise moves two syslog messages from one syslog server to another. In the diagram, Splunk Enterprise listens on a UDP network port and indexes incoming events. On the other side, the same instance forwards events to a second, third-party syslog server.
In the diagram, Message A originates as a syslog event and Message B originates as a similar event that does not have priority information associated with it. Upon receipt, Splunk Enterprise tags the events with a timestamp and the host that generated the event.
If you configured the instance as a forwarder, Splunk Enterprise then transforms the events by adding a priority header (that you specify in
outputs.conf) before it forwards the events on to the syslog server. Once they arrive at the syslog server, that server prepends timestamp and host data to the events as it received them from the Splunk Enterprise instance.
How Splunk Enterprise moves syslog events when you configure a custom source type
In this diagram, Splunk Enterprise has been configured to use a non-syslog source type.
The initial Messages A and B are identical to the first example. In this example, Splunk Enterprise prepends the event with an originating host name or IP address.
How Splunk Enterprise moves syslog events when you configure it with timestamping
You can also configure Splunk Enterprise to add timestamps to syslog events when you forward those events. You could time stamp the events when you don't want the downstream server to add its own timestamp. The following diagram shows the required attribute and depicts how Splunk Enterprise deals with the data.
The initial Messages A and B are identical to the first and second examples. Splunk Enterprise prepends the events with a timestamp and an originating host name or IP address.
Get data from TCP and UDP ports
Send SNMP events to your Splunk deployment
This documentation applies to the following versions of Splunk® Enterprise: 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.3.14, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.4.10, 6.4.11, 6.5.0, 6.5.1, 6.5.1612 (Splunk Cloud only), 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.5.7, 6.5.8, 6.5.9, 6.5.10, 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.6.5, 6.6.6, 6.6.7, 6.6.8, 6.6.9, 6.6.10, 6.6.11, 6.6.12, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6