Page 1 of 2
how can NLS send syslog data to splunk
Posted: Thu Feb 08, 2018 7:54 pm
by hyacinth
Dear Friends,
We want to send syslog data from nagios log server to splunk. Splunk has finished the configuration to connect with NLS, but we don't know the location of moniting syslog data.
We have tried to find the location as attached, but none of them seems like log data. Please help to check.
Re: how can NLS send syslog data to splunk
Posted: Fri Feb 09, 2018 9:21 am
by mcapra
If you're interested in forwarding events to Splunk, see this thread:
https://support.nagios.com/forum/viewto ... 37&t=47324
Re: how can NLS send syslog data to splunk
Posted: Fri Feb 09, 2018 12:20 pm
by npolovenko
Thanks,
@mcapra!
@hyacinth , Let us know if you have other questions.
Re: how can NLS send syslog data to splunk
Posted: Sat Feb 10, 2018 8:26 pm
by hyacinth
@mcapra
Thanks Mcapra, I have read that post before, but I don't know how to and where configure the code:
syslog {
procid => "Nagios"
facility => 'daemon'
host => '10.50.121.180'
port => '514'
protocol => 'tcp'
severity => 'informational'
}
One more question, Can Nagios LS analyze and filter the collected syslog and then send useful syslog data to Splunk ? How dose it work ? You know, too many useless logs will cost too much on Splunk.
Re: how can NLS send syslog data to splunk
Posted: Mon Feb 12, 2018 11:29 am
by cdienger
The output can be configured under Configure > Global (All Instances) > Global Config . Click the "Show Outputs" in the top right corner and then Add Output > Custom. Give it a name("Splunk Output" for example) and paste the output config.
You can use logic to only send specific data. For example, to send only logs from a client with an IP of 192.168.2.3:
Code: Select all
if [host] == "192.168.2.3"{
syslog {
procid => "Nagios"
facility => 'daemon'
host => '10.50.121.180'
port => '514'
protocol => 'tcp'
severity => 'informational'
}
}
and
https://www.elastic.co/guide/en/logstas ... mples.html have more details on logstash configuration.
Re: how can NLS send syslog data to splunk
Posted: Tue Feb 20, 2018 2:23 am
by hyacinth
@cdienger
host => '10.50.121.180'
Is 10.50.121.180 a splunk address ?
port => '514'
protocol => 'tcp'
"514" is a UDP port, should I change the protocol to udp ?
Re: how can NLS send syslog data to splunk
Posted: Tue Feb 20, 2018 12:29 pm
by kyang
@cdienger
host => '10.50.121.180'
Is 10.50.121.180 a splunk address ?
port => '514'
protocol => 'tcp'
"514" is a UDP port, should I change the protocol to udp ?
@cdienger is out for the week, but I'll be happy to try and assist.
Yes,
10.50.121.180 should be your Splunk address.
You're right that 514 is a UDP port, but I'm not entirely sure if the protocol should be changed.
In that case, you should switch it to 'udp' and see if the output filter works. If not change it back to 'tcp' and test it again.
Let us know if you have any more questions.
Re: how can NLS send syslog data to splunk
Posted: Thu Feb 22, 2018 1:57 am
by hyacinth
@kyang
I have tried both udp and tcp, but Splunk received nothing. Is there any config missed ? Besides, Is there any network requirement between NLS and Splunk ?
Re: how can NLS send syslog data to splunk
Posted: Thu Feb 22, 2018 3:50 am
by tacolover101
hyacinth wrote:@kyang
I have tried both udp and tcp, but Splunk received nothing. Is there any config missed ? Besides, Is there any network requirement between NLS and Splunk ?
how are you trying to configure the sending? there are many options i see viable here:
1. splunk forwarder
2. NLS output (which is the code you're seeing above, by @mcapra)
3. syslog (using built in rsyslog)
Re: how can NLS send syslog data to splunk
Posted: Thu Feb 22, 2018 11:29 am
by scottwilkerson
hyacinth wrote:@kyang
I have tried both udp and tcp, but Splunk received nothing. Is there any config missed ? Besides, Is there any network requirement between NLS and Splunk ?
You must pardon our ignorance, but we are not familiar with configuring Splunk, nor how you have configured your version of Splunk.
These setups are are hypothetical assuming you have splunk listening on the port and protocol specified, only you know that.
As for the config, it might help if we say yours from the Nagios Log Server, please run the following
Code: Select all
cat /usr/local/nagioslogserver/logstash/etc/conf.d/*