Splunk® Enterprise

Getting Data In

Download manual as PDF

Download topic as PDF

How Splunk Enterprise handles syslog data over UDP

Splunk Enterprise can act as a syslog server or a syslog message sender. If you have Splunk Cloud, you cannot configure your deployment as a syslog server or a syslog message sender, but you can configure the Splunk Universal Forwarder to listen on a UDP network port and forward data to your Splunk Cloud deployment.

While it is possible to configure Splunk Enterprise to receive syslog events directly, refrain from doing so for the following reasons:

  • Splunk best practice involves setting up a separate machine that runs a syslog service to handle syslog tasks
  • Splunk Enterprise modifies syslog data by default as part of the indexing process (it assigns a timestamp and a host to the event.)
  • Syslog data streams to only one Splunk Enterprise instance in this scenario. In a deployment with multiple indexers, you must perform additional work to distribute the data across those indexers
  • If Splunk Enterprise fails for any reason, any syslog messages that were sent during the downtime would be irrecoverably lost

Do not substitute Splunk Enterprise for a syslog server in regular use unless you have no other options.

If you must retain raw syslog data (for example, a data retention policy requires access to untouched events), consider using a tool such as syslog-ng to simultaneously save the raw data to a log file and forward events to your Splunk deployment. This gives you the added advantage of indexing the log file later if you want.

See the diagrams later in this topic for a description of how Splunk Enterprise handles syslog events over UDP.

How Splunk Enterprise handles syslog inputs

When you configure a UDP network input to listen to a syslog in Splunk Enterprise, any syslog events that arrive through the input receive a timestamp and connected host field. Splunk Enterprise prepends these fields to each event before indexing.

You can change this behavior by setting the no_appending_timestamp attribute in inputs.conf.

If the data contains a syslog header, Splunk Enterprise strips it out unless you set the no_priority_stripping attribute in the stanza.

Splunk Enterprise does not modify TCP packets in this fashion. If you send syslog data over TCP, Splunk Enterprise does not strip priority information from the events. It does, however, prepend a host name and time stamp to the event unless you tell it not to.

How Splunk Enterprise handles syslog outputs

Splunk Enterprise can also forward events to another syslog server. When it does, it prepends the priority information to the event so that the downstream syslog server can translate the events properly.

When the event reaches the downstream syslog server, that host prepends a timestamp, priority, and connected host name, which is the Splunk Enterprise instance.

You can also prepend a timestamp and host name to the event at the time you forward the event to the syslog server.

For information on configuring routing, filtering, and usage of source types, see Route and filter data in the Forwarding Data manual and the props.conf spec file in the Admin manual.

How Splunk Enterprise moves syslog events when you configure it to use syslog source type

The following diagram shows how Splunk Enterprise moves two syslog messages from one syslog server to another. In the diagram, Splunk Enterprise listens on a UDP network port and indexes incoming events. On the other side, the same instance forwards events to a second, third-party syslog server.

62 splunk syslog handling.png

In the diagram, Message A originates as a syslog event and Message B originates as a similar event that does not have priority information associated with it. Upon receipt, Splunk Enterprise tags the events with a timestamp and the host that generated the event.

If you configured the instance as a forwarder, Splunk Enterprise then transforms the events by adding a priority header (that you specify in outputs.conf) before it forwards the events on to the syslog server. Once they arrive at the syslog server, that server prepends timestamp and host data to the events as it received them from the Splunk Enterprise instance.

How Splunk Enterprise moves syslog events when you configure a custom source type

In this diagram, Splunk Enterprise has been configured to use a non-syslog source type.

The initial Messages A and B are identical to the first example. In this example, Splunk Enterprise prepends the event with an originating host name or IP address.

62 splunk syslog handling custom.png

How Splunk Enterprise moves syslog events when you configure it with timestamping

You can also configure Splunk Enterprise to add timestamps to syslog events when you forward those events. You could time stamp the events when you don't want the downstream server to add its own timestamp. The following diagram shows the required attribute and depicts how Splunk Enterprise deals with the data.

The initial Messages A and B are identical to the first and second examples. Splunk Enterprise prepends the events with a timestamp and an originating host name or IP address.

62 splunk syslog handling timestamp.png

Get data from TCP and UDP ports
Send SNMP events to your Splunk deployment

This documentation applies to the following versions of Splunk® Enterprise: 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.3.14, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.4.10, 6.4.11, 6.5.0, 6.5.1, 6.5.1612 (Splunk Cloud only), 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.5.7, 6.5.8, 6.5.9, 6.5.10, 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.6.5, 6.6.6, 6.6.7, 6.6.8, 6.6.9, 6.6.10, 6.6.11, 6.6.12, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters