Get syslog data into an Edge Processor
Edge Processors support syslog data. Syslog is a network-based mechanism that allows sending data from various devices directly to an Edge Processor. Send events from your syslog data source to an Edge Processor so that you can process your data before sending it to the Splunk platform or other data destinations.
To send syslog data directly from the data source to an Edge Processor, do the following:
- Configure a receiving port for syslog data. See Configure a port for receiving syslog data.
- Configure your Edge Processor to be able to receive syslog data. See Activate the syslog receiver on your Edge Processor.
- Review how timestamps are assigned to syslog events, and configure timestamp and time zone assignment if needed. See Configure timestamping for syslog events.
- Configure your device to send data to your Edge Processor. See Configure your device to send syslog data to an Edge Processor.
As alternatives, you can also use Splunk forwarders or Splunk Connect for Syslog (SC4S) to send syslog data to an Edge Processor.
- For information about using forwarders, see the Splunk Cloud Platform Forwarding Data manual and Get data from a forwarder into an Edge Processor.
- For information about using SC4S, see Use SC4S to get syslog data into an Edge Processor in this topic.
Prerequisites
Before configuring your Edge Processor to receive syslog data, make sure the following requirements are met:
- On the host machine of your Edge Processor, the port that you want to use to receive syslog data is available, and your network policy allows that port to be opened.
- If you want to secure communications between your data source and your Edge Processor using mutually authenticated TLS (mTLS), which means that the data source and the Edge Processor must prove their identities by presenting valid TLS certificates before they can connect and communicate with each other, start by confirming that TLS is available on your syslog device or forwarder. Then, obtain the following certificates in Privacy Enhanced Mail (PEM) format:
- A client certificate, CA certificate, and private key that the data source can use to prove its identity.
- A server certificate, CA certificate, and private key that the Edge Processor can use to prove its identity.
These certificates can be self-signed or they can be signed by a third-party. See Obtain TLS certificates for data sources and Edge Processors for information on generating client and server certificates.
Configure a port for receiving syslog data
Specify the port that your Edge Processors use to listen for incoming syslog data. You can choose to use a different port for every source type assigned to your incoming syslog data, or use one port for all incoming syslog traffic. If you use one port for all incoming syslog traffic, set the source type associated with the port to a placeholder value. You will need to use a pipeline to manually extract data values into fields and append the correct sourcetype
value for each log.
- In the Edge Processor service, navigate to the Edge Processors page.
- Select Shared settings.
- Select New port in the Syslog section.
- In the Port field, enter your desired port number. Enter a unique port number that is not 8888 or 1777. You may use the same port if the transport protocol is different.
You can use ports 1-1024 only if you run your Edge Processor instances as root. If you don't want to run your Edge Processor instances as root, then you must enter port numbers 1025 or higher. Alternatively, consult your Linux administrator to allow non-root users to use ports 1-1024.
- In the Source type field, select a source type or enter your own. The source type is the metadata value assigned to incoming syslog data.
- In the RFC protocol field, select the RFC protocol that matches your syslog data. The transport protocol is determined by the RFC protocol selected. If your syslog data does not meet the selected RFC protocol standards, select Other formats. In this case, you need to manually configure field extractions through the pipeline. See Extract fields from event data using an Edge Processor for more information on configuring field extractions and Request body format for more information on RFC protocol standards.
- (Optional) In the Default source field, enter a source if your event does not have it.
- In the Port field, enter your desired port number. Enter a unique port number that is not 8888 or 1777. You may use the same port if the transport protocol is different.
- Select Save.
- To edit an existing port, select the Edit () icon. To delete an existing port, select the Delete icon ().
Next, activate the syslog receiver on your Edge Processor.
Activate the syslog receiver on your Edge Processor
Configure your Edge Processor to support incoming syslog data.
The following instructions mention the settings that are required for receiving syslog data. For information about other Edge Processor settings, see Add an Edge Processor.
- In the Edge Processor service, navigate to the Edge Processors page.
- To access the receiver settings, do one of the following:
- In the Receive data from these inputs section, select Syslog.
- If you want to use mTLS to secure the communications between your syslog data sources and the Edge Processor, then do the following:
- In the Syslog section, select mTLS.
- If this is the first time that the mTLS settings have been turned on for this Edge Processor, then upload PEM files containing the certificates for proving the Edge Processor's identity in the Server private key, Server certificate, and CA certificates fields.
The Edge Processor uses the same PEM files to prove its identity to all data sources where mTLS is used. For example, if you are also using mTLS with Splunk forwarders, then the Edge Processor uses the same server-side PEM files when receiving data from forwarders and syslog data sources.
- Select Save.
The Edge Processor can now receive data from a syslog data source. Next, review how timestamps are assigned to syslog events, and configure timestamp and time zone assignment if needed.
Configure timestamping for syslog events
When you use an Edge Processor to process and route syslog data, the way that timestamps are assigned to the events varies depending on the kind of destination that the Edge Processor sends the syslog data to. The following table explains how timestamps are assigned to syslog events based on the specified destination kind, and provides links to instructions for how you can configure the timestamp assignment behavior:
Destination | How the timestamp is assigned |
---|---|
Splunk platform S2S | The indexer in the destination assigns event timestamps according to the configuration settings in the props.conf file.
|
Splunk platform HEC or Amazon S3 | When you configure a port for the Edge Processor to start receiving syslog data, you select an RFC protocol.
If the data passes through an Edge Processor pipeline that modifies the The Edge Processor renames the |
Configure the time zone of your syslog data
If your syslog events do not specify a time zone, then the Edge Processor uses Universal Time Coordinated (UTC) by default. You can override this default behavior for all of the Edge Processors in the tenant by configuring the Time zone for syslog data shared setting. However, be aware that this shared setting only takes effect in situations where the following conditions are met:
- The syslog events use the RFC 3164 protocol.
- The pipelines that process the events are configured to send them to either a Splunk platform HEC destination or an Amazon S3 destination.
- The pipelines that process the events do not include commands that write values to the
_time
field.The
_time
field stores timestamps in Unix time. Unix timestamps are absolute values that are not influenced by time zones, so the Time zone for syslog data shared setting is not applicable to timestamps in the_time
field.
To configure the Time zone for syslog data shared setting, do the following:
- In the Edge Processor service, navigate to the Edge Processors page.
- Select Shared settings.
- In the Time zone for syslog data section, select Edit.
- Select your desired time zone assignment.
- Select Use system local time if you want to use the time zone that is associated with the local system time of your host machine.
- Select Assign time zone if you want to use a specific time zone from the options provided.
- Select Save.
If there are errors when the Edge Processor validates the time zone, then the Edge Processor falls back to using UTC. Validation errors can occur if, for example, there are no time zone databases installed on the Edge Processor host.
Next, configure your syslog device to send data to the Edge Processor.
Configure your device to send syslog data to an Edge Processor
Configure your syslog data source to send data to an Edge Processor instance and through the assigned port. If you configured your Edge Processor to use mTLS to secure communications from syslog data sources, then you must configure the data source to provide TLS certificates that prove its identity. Refer to the documentation for your specific data source for information on how to configure it to use TLS certificates.
The following are examples of basic TCP and UDP requests that send hello, world!
as a syslog event to an Edge Processor instance.
Example of a basic TCP request:
echo 'hello, world' | nc host_123ghnskfpi 8090
Example of a basic UDP request:
echo 'hello, world' | nc -u host_123ghnskfpi 8090
For best results, make sure that the requests follow the requirements and best practices described in the following sections:
In the Edge Processor service, you can find examples of basic requests that have the host name and port values relevant to your Edge Processors. You can use these examples as a starting point for your requests. See Get syslog request examples with your Edge Processor information in this topic.
URI format
The request must be directed to a Uniform Resource Indicator (URI) written in this format:
<host>:<port>
The variables are defined as follows:
- <host> is the host name of a specific Edge Processor instance.
- <port> is the number of the port that the Edge Processor instance uses to receive syslog data. This port number is a shared configuration setting that is specified in the Edge Processor service. See Configure a port for receiving syslog data for more information.
Request body format
The body of the syslog data depends on your RFC protocol. Other optional parameters and event fields are also supported.
As a best practice for reducing inaccuracies in the Edge Processor metrics, make sure that your syslog request specifies a host
value. The Inbound data sources metric is based on the number of distinct host values detected in the inbound events.
The following table mentions the RFC protocols supported by the Edge Processor:
RFC protocol | Format | Example |
---|---|---|
5424 and 6587 | <Priority>version timestamp hostname app-name procid msgid structured-data msg
|
<165>1 2023-07-17T22:14:15.003Z hello.world.com evntslog 123 - ID47 [exampleSDID@32473 iut="3" eventSource="Application" eventID="1011"] BOMAn applicationevent log entry
|
3164 | <priority>timestamp hostname message
|
<priority><132>Jul 17 22:14:015 hello.world.com evntslog BOMAn applicationevent log entry
|
If your syslog data does not meet the selected RFC protocol standards, select Other formats when configuring a port for your syslog data. You need to manually configure field extractions through the pipeline.
Syslog data behavior based on selected RFC protocol
The Edge Processor extracts fields from your data based on the RFC protocol you selected. Select the correct RFC protocol to ensure accurate data formatting.
The following table shows how syslog data with a specific RFC protocol behaves when matched with other RFC protocols:
Original RFC protocol of the data | RFC 5424 or 6587 is selected | RFC 3164 is selected | Other is selected |
---|---|---|---|
RFC 5424 and 6587 | All fields recognized | Host : <nil>
|
All fields recognized |
RFC 3164 | Host : <nil>
|
All fields recognized | Host : <nil>
|
Other | Host : <nil>
|
Host : <nil>
|
Host : <nil>
|
Get syslog request examples with your Edge Processor information
You can find syslog request examples with hostname and port values relevant to your Edge Processors by doing the following:
- In the Edge Processor service, navigate to the Edge Processors page.
- In the row that lists your Edge Processor, select the Actions icon () and then select Configure data sources.
- In the Configure data sources side panel, use the drop-down list to select Syslog.
- Select your source type and port to use, and then select an instance.
- To copy the example, select Copy to clipboard.
Use SC4S to get syslog data into an Edge Processor
As an alternative to sending syslog data directly from the data source to an Edge Processor, you can use SC4S to send syslog data to an Edge Processor through the HTTP Event Collector (HEC).
SC4S is a solution for ingesting syslog data into the Splunk platform. It provides robust support for parsing syslog data, allowing you to break and merge data into distinct events and set Splunk metadata fields such as index
, host
, source
, and sourcetype
. For more information about SC4S, see the Splunk Connect for Syslog documentation.
Using SC4S to get syslog data into an Edge Processor involves doing the following:
- Configure your Edge Processor to receive data through HEC. Because SC4S transmits data using HEC, you can use the same Edge Processor configurations as you would for receiving other HEC data. Follow the instructions provided in these sections of the Get data into an Edge Processor using HTTP Event Collector topic:
- If you don't already have an SC4S instance running, install SC4S. See the Getting Started chapter in the Splunk Connect for Syslog documentation.
For best results, run the installation in a containerized environment. Do not use the "Bring your own Environment" installation method unless it is necessary for supporting your syslog use cases.
- If you haven't already configured the data sources for your SC4S instance, configure SC4S to collect your syslog data. See the Sources chapter and the Configuration topic in the Splunk Connect for Syslog documentation.
- Make sure that SC4S sets the appropriate Splunk metadata in all the syslog data that it handles.
- Your data must be associated with a
sourcetype
value, or else Edge Processor pipelines cannot select that data for processing. - As a best practice for reducing inaccuracies in the Edge Processor metrics, make sure that your data is also associated with a
host
value. The Inbound data sources metric is based on the number of distinct host values detected in the inbound events.
For information about the metadata configurations that SC4S uses by default, see the pages nested under "Known Vendors" in the Sources chapter of the Splunk Connect for Syslog documentation. For information about how to override these configurations, see SC4S metadata configuration in the Splunk Connect for Syslog documentation.
- Your data must be associated with a
- Configure SC4S to use your Edge Processor as a HEC destination. See Configure SC4S to send data to an Edge Processor in this topic.
Configure SC4S to send data to an Edge Processor
If you have an SC4S instance that is collecting and parsing your syslog data, you can configure it to send syslog data to an Edge Processor for processing and routing.
- On the machine where SC4S is installed, set the
SC4S_DEST_SPLUNK_HEC_DEFAULT_URL
environment variable to the URL of your Edge Processor instance. If you're sending data to an Edge Processor instance group, then you can set this environment variable to a comma-separated list of the instance URLs. Each URL must be written in this format:<protocol>://<host>:<port>
The variables are defined as follows:
- <protocol> is either
http
orhttps
. - <host> is the host name of a specific Edge Processor instance.
- <port> is the number of the port that the Edge Processor instance uses to receive HEC requests.
This port number is a shared configuration setting that is specified in the Edge Processor service. See Configure shared Edge Processor settings for more information.
- <protocol> is either
- Depending on the specific installation method and runtime environment that is used, some SC4S deployments need to be restarted before configuration changes take effect. If necessary, restart SC4S.
- (Optional) Confirm if your Edge Processor is receiving, processing, and routing data from SC4S as expected.
- In the Edge Processor service, do the following:
- Navigate to the Edge Processors page. Then, in the row that lists your Edge Processor, select the Actions icon () and then select Open.
- From the Metrics drop-down list, select a timeframe during which SC4S is sending data to the Edge Processor.
- In the Received data pane, confirm that the Source type list includes the source type of your syslog data.
- In the Data flowing through in the last <timeframe> area of the page, confirm that the Inbound data sources field includes the expected count of HEC sources. Each distinct
host
value in your syslog data is counted as 1 HEC source. - In the Pipeline pane, check the Outbound data metrics to confirm that all your pipelines are successfully sending data out to the specified destinations.
- Browse or search your data destinations to confirm that they contain your syslog data as expected.
- In the Edge Processor service, do the following:
You can now use the Edge Processor solution to process the syslog data from your SC4S instance and send it to a supported destination of your choice.
Be aware that you might start seeing a message similar to the following in your SC4S logs. This log message is expected.
curl: (6) Could not resolve host: <IP or HOST>:<PORT> SC4S_ENV_CHECK_HEC: Invalid Splunk HEC URL, invalid token, or other HEC connectivity issue index=main. sourcetype=sc4s:fallback Startup will continue to prevent data loss if this is a transient failure.
Get data into an Edge Processor using HTTP Event Collector | Obtain TLS certificates for data sources and Edge Processors |
This documentation applies to the following versions of Splunk Cloud Platform™: 9.0.2209, 9.0.2303, 9.0.2305, 9.1.2308, 9.1.2312, 9.2.2403, 9.2.2406 (latest FedRAMP release), 9.3.2408
Feedback submitted, thanks!