how can NLS send syslog data to splunk

This support forum board is for support questions relating to Nagios Log Server, our solution for managing and monitoring critical log data.
hyacinth
Posts: 19
Joined: Wed Dec 13, 2017 2:21 am

how can NLS send syslog data to splunk

Post by hyacinth »

Dear Friends,
We want to send syslog data from nagios log server to splunk. Splunk has finished the configuration to connect with NLS, but we don't know the location of moniting syslog data.
We have tried to find the location as attached, but none of them seems like log data. Please help to check.
You do not have the required permissions to view the files attached to this post.
User avatar
mcapra
Posts: 3739
Joined: Thu May 05, 2016 3:54 pm

Re: how can NLS send syslog data to splunk

Post by mcapra »

If you're interested in forwarding events to Splunk, see this thread:
https://support.nagios.com/forum/viewto ... 37&t=47324
Former Nagios employee
https://www.mcapra.com/
npolovenko
Support Tech
Posts: 3457
Joined: Mon May 15, 2017 5:00 pm

Re: how can NLS send syslog data to splunk

Post by npolovenko »

Thanks, @mcapra!
@hyacinth , Let us know if you have other questions.
As of May 25th, 2018, all communications with Nagios Enterprises and its employees are covered under our new Privacy Policy.
hyacinth
Posts: 19
Joined: Wed Dec 13, 2017 2:21 am

Re: how can NLS send syslog data to splunk

Post by hyacinth »

@mcapra
Thanks Mcapra, I have read that post before, but I don't know how to and where configure the code:
syslog {
procid => "Nagios"
facility => 'daemon'
host => '10.50.121.180'
port => '514'
protocol => 'tcp'
severity => 'informational'
}

One more question, Can Nagios LS analyze and filter the collected syslog and then send useful syslog data to Splunk ? How dose it work ? You know, too many useless logs will cost too much on Splunk.
User avatar
cdienger
Support Tech
Posts: 5045
Joined: Tue Feb 07, 2017 11:26 am

Re: how can NLS send syslog data to splunk

Post by cdienger »

The output can be configured under Configure > Global (All Instances) > Global Config . Click the "Show Outputs" in the top right corner and then Add Output > Custom. Give it a name("Splunk Output" for example) and paste the output config.

You can use logic to only send specific data. For example, to send only logs from a client with an IP of 192.168.2.3:

Code: Select all

if [host] == "192.168.2.3"{
     syslog {
     procid => "Nagios"
     facility => 'daemon'
     host => '10.50.121.180'
     port => '514'
     protocol => 'tcp'
     severity => 'informational'
     }
}
https://www.elastic.co/guide/en/logstas ... ation.html and https://www.elastic.co/guide/en/logstas ... mples.html have more details on logstash configuration.
As of May 25th, 2018, all communications with Nagios Enterprises and its employees are covered under our new Privacy Policy.
hyacinth
Posts: 19
Joined: Wed Dec 13, 2017 2:21 am

Re: how can NLS send syslog data to splunk

Post by hyacinth »

@cdienger
host => '10.50.121.180'
Is 10.50.121.180 a splunk address ?
port => '514'
protocol => 'tcp'
"514" is a UDP port, should I change the protocol to udp ?
kyang

Re: how can NLS send syslog data to splunk

Post by kyang »

@cdienger
host => '10.50.121.180'
Is 10.50.121.180 a splunk address ?
port => '514'
protocol => 'tcp'
"514" is a UDP port, should I change the protocol to udp ?
@cdienger is out for the week, but I'll be happy to try and assist.

Yes, 10.50.121.180 should be your Splunk address.

You're right that 514 is a UDP port, but I'm not entirely sure if the protocol should be changed.

In that case, you should switch it to 'udp' and see if the output filter works. If not change it back to 'tcp' and test it again.

Let us know if you have any more questions.
hyacinth
Posts: 19
Joined: Wed Dec 13, 2017 2:21 am

Re: how can NLS send syslog data to splunk

Post by hyacinth »

@kyang
I have tried both udp and tcp, but Splunk received nothing. Is there any config missed ? Besides, Is there any network requirement between NLS and Splunk ?
User avatar
tacolover101
Posts: 432
Joined: Mon Apr 10, 2017 11:55 am

Re: how can NLS send syslog data to splunk

Post by tacolover101 »

hyacinth wrote:@kyang
I have tried both udp and tcp, but Splunk received nothing. Is there any config missed ? Besides, Is there any network requirement between NLS and Splunk ?
how are you trying to configure the sending? there are many options i see viable here:
1. splunk forwarder
2. NLS output (which is the code you're seeing above, by @mcapra)
3. syslog (using built in rsyslog)
scottwilkerson
DevOps Engineer
Posts: 19396
Joined: Tue Nov 15, 2011 3:11 pm
Location: Nagios Enterprises
Contact:

Re: how can NLS send syslog data to splunk

Post by scottwilkerson »

hyacinth wrote:@kyang
I have tried both udp and tcp, but Splunk received nothing. Is there any config missed ? Besides, Is there any network requirement between NLS and Splunk ?
You must pardon our ignorance, but we are not familiar with configuring Splunk, nor how you have configured your version of Splunk.

These setups are are hypothetical assuming you have splunk listening on the port and protocol specified, only you know that.

As for the config, it might help if we say yours from the Nagios Log Server, please run the following

Code: Select all

cat /usr/local/nagioslogserver/logstash/etc/conf.d/*
Former Nagios employee
Creator:
ahumandesign.com
enneagrams.com
Locked