2

I have running centralized syslog server (rsyslog on CentOS6, which works perfect). Next step it was to add Splunk as a syslog analyzing tool. All was installed perfectly - Splunk works, can log in to the front end and add data source (TCP port 514) but from there I don't see any data indexed by Splunk.

rysylog config for data storage and processing looks like:

$ModLoad ommysql
$ModLoad ommysql
*.* :ommysql:127.0.0.1,rsysdb,rsyslog,password
*.* @@localhost

Any clue why Splunk is not receiving any data?

Thanks

JackTheKnife
  • 371
  • It is very difficult to predict what is wrong with your setup. Most probably you did not configure the data source properly. –  Sep 10 '13 at 12:55
  • While Splunk can often be used in the place of a SIEM or for security operations it is not necessarily a security tool. You may find more expertise in this tool at our sister site for Information Technology Professionals [SF]. – Scott Pack Sep 10 '13 at 13:29
  • @ScottPack thanks for pointing me to the proper site – JackTheKnife Sep 11 '13 at 19:38

1 Answers1

1

Well, got issue resolved by using local IP instead a domain 'localhost' so line for syslog forwarding to Splunk (TCP connection) looks like

*.* @@127.0.0.1

as is on the same server as rsyslog. Splunk is set to listen to TCP port 514 data set as syslog.

JackTheKnife
  • 371