how can NLS send syslog data to splunk

This board serves as an open discussion and support collaboration point for Nagios Log Server. NOTE: Nagios Log Server customers should use the Customer Support forum to obtain expedited support.

how can NLS send syslog data to splunk

Postby hyacinth » Thu Feb 08, 2018 7:54 pm

Dear Friends,
We want to send syslog data from nagios log server to splunk. Splunk has finished the configuration to connect with NLS, but we don't know the location of moniting syslog data.
We have tried to find the location as attached, but none of them seems like log data. Please help to check.
Attachments
log location.png
hyacinth
 
Posts: 19
Joined: Wed Dec 13, 2017 2:21 am

Re: how can NLS send syslog data to splunk

Postby mcapra » Fri Feb 09, 2018 9:21 am

If you're interested in forwarding events to Splunk, see this thread:
https://support.nagios.com/forum/viewtopic.php?f=37&t=47324
Former Nagios employee
http://www.mcapra.com/
User avatar
mcapra
 
Posts: 3291
Joined: Thu May 05, 2016 3:54 pm

Re: how can NLS send syslog data to splunk

Postby npolovenko » Fri Feb 09, 2018 12:20 pm

Thanks, @mcapra!
@hyacinth , Let us know if you have other questions.
As of May 25th, 2018, all communications with Nagios Enterprises and its employees are covered under our new Privacy Policy.
User avatar
npolovenko
Support Tech
 
Posts: 1787
Joined: Mon May 15, 2017 5:00 pm

Re: how can NLS send syslog data to splunk

Postby hyacinth » Sat Feb 10, 2018 8:26 pm

@mcapra
Thanks Mcapra, I have read that post before, but I don't know how to and where configure the code:
syslog {
procid => "Nagios"
facility => 'daemon'
host => '10.50.121.180'
port => '514'
protocol => 'tcp'
severity => 'informational'
}

One more question, Can Nagios LS analyze and filter the collected syslog and then send useful syslog data to Splunk ? How dose it work ? You know, too many useless logs will cost too much on Splunk.
hyacinth
 
Posts: 19
Joined: Wed Dec 13, 2017 2:21 am

Re: how can NLS send syslog data to splunk

Postby cdienger » Mon Feb 12, 2018 11:29 am

The output can be configured under Configure > Global (All Instances) > Global Config . Click the "Show Outputs" in the top right corner and then Add Output > Custom. Give it a name("Splunk Output" for example) and paste the output config.

You can use logic to only send specific data. For example, to send only logs from a client with an IP of 192.168.2.3:

Code: Select all
if [host] == "192.168.2.3"{
     syslog {
     procid => "Nagios"
     facility => 'daemon'
     host => '10.50.121.180'
     port => '514'
     protocol => 'tcp'
     severity => 'informational'
     }
}


https://www.elastic.co/guide/en/logstas ... ation.html and https://www.elastic.co/guide/en/logstas ... mples.html have more details on logstash configuration.
As of May 25th, 2018, all communications with Nagios Enterprises and its employees are covered under our new Privacy Policy.
User avatar
cdienger
Support Tech
 
Posts: 1419
Joined: Tue Feb 07, 2017 11:26 am

Re: how can NLS send syslog data to splunk

Postby hyacinth » Tue Feb 20, 2018 2:23 am

@cdienger
host => '10.50.121.180'
Is 10.50.121.180 a splunk address ?
port => '514'
protocol => 'tcp'
"514" is a UDP port, should I change the protocol to udp ?
hyacinth
 
Posts: 19
Joined: Wed Dec 13, 2017 2:21 am

Re: how can NLS send syslog data to splunk

Postby kyang » Tue Feb 20, 2018 12:29 pm

@cdienger
host => '10.50.121.180'
Is 10.50.121.180 a splunk address ?
port => '514'
protocol => 'tcp'
"514" is a UDP port, should I change the protocol to udp ?

@cdienger is out for the week, but I'll be happy to try and assist.

Yes, 10.50.121.180 should be your Splunk address.

You're right that 514 is a UDP port, but I'm not entirely sure if the protocol should be changed.

In that case, you should switch it to 'udp' and see if the output filter works. If not change it back to 'tcp' and test it again.

Let us know if you have any more questions.
As of May 25th, 2018, all communications with Nagios Enterprises and its employees are covered under our new Privacy Policy.

Be sure to check out our Knowledgebase for helpful articles and solutions!
User avatar
kyang
Support Tech
 
Posts: 1790
Joined: Tue Jul 25, 2017 3:35 pm

Re: how can NLS send syslog data to splunk

Postby hyacinth » Thu Feb 22, 2018 1:57 am

@kyang
I have tried both udp and tcp, but Splunk received nothing. Is there any config missed ? Besides, Is there any network requirement between NLS and Splunk ?
hyacinth
 
Posts: 19
Joined: Wed Dec 13, 2017 2:21 am

Re: how can NLS send syslog data to splunk

Postby tacolover101 » Thu Feb 22, 2018 3:50 am

hyacinth wrote:@kyang
I have tried both udp and tcp, but Splunk received nothing. Is there any config missed ? Besides, Is there any network requirement between NLS and Splunk ?


how are you trying to configure the sending? there are many options i see viable here:
1. splunk forwarder
2. NLS output (which is the code you're seeing above, by @mcapra)
3. syslog (using built in rsyslog)
User avatar
tacolover101
 
Posts: 402
Joined: Mon Apr 10, 2017 11:55 am

Re: how can NLS send syslog data to splunk

Postby scottwilkerson » Thu Feb 22, 2018 11:29 am

hyacinth wrote:@kyang
I have tried both udp and tcp, but Splunk received nothing. Is there any config missed ? Besides, Is there any network requirement between NLS and Splunk ?


You must pardon our ignorance, but we are not familiar with configuring Splunk, nor how you have configured your version of Splunk.

These setups are are hypothetical assuming you have splunk listening on the port and protocol specified, only you know that.

As for the config, it might help if we say yours from the Nagios Log Server, please run the following
Code: Select all
cat /usr/local/nagioslogserver/logstash/etc/conf.d/*
As of May 25th, 2018, all communications with Nagios Enterprises and its employees are covered under our new Privacy Policy.
User avatar
scottwilkerson
CTO
 
Posts: 9799
Joined: Tue Nov 15, 2011 3:11 pm
Location: Nagios Enterprises

Next

Return to Nagios Log Server

Who is online

Users browsing this forum: No registered users and 1 guest