how can NLS send syslog data to splunk
how can NLS send syslog data to splunk
Dear Friends,
We want to send syslog data from nagios log server to splunk. Splunk has finished the configuration to connect with NLS, but we don't know the location of moniting syslog data.
We have tried to find the location as attached, but none of them seems like log data. Please help to check.
We want to send syslog data from nagios log server to splunk. Splunk has finished the configuration to connect with NLS, but we don't know the location of moniting syslog data.
We have tried to find the location as attached, but none of them seems like log data. Please help to check.
You do not have the required permissions to view the files attached to this post.
Re: how can NLS send syslog data to splunk
If you're interested in forwarding events to Splunk, see this thread:
https://support.nagios.com/forum/viewto ... 37&t=47324
https://support.nagios.com/forum/viewto ... 37&t=47324
Former Nagios employee
https://www.mcapra.com/
https://www.mcapra.com/
-
- Support Tech
- Posts: 3457
- Joined: Mon May 15, 2017 5:00 pm
Re: how can NLS send syslog data to splunk
As of May 25th, 2018, all communications with Nagios Enterprises and its employees are covered under our new Privacy Policy.
Re: how can NLS send syslog data to splunk
@mcapra
Thanks Mcapra, I have read that post before, but I don't know how to and where configure the code:
syslog {
procid => "Nagios"
facility => 'daemon'
host => '10.50.121.180'
port => '514'
protocol => 'tcp'
severity => 'informational'
}
One more question, Can Nagios LS analyze and filter the collected syslog and then send useful syslog data to Splunk ? How dose it work ? You know, too many useless logs will cost too much on Splunk.
Thanks Mcapra, I have read that post before, but I don't know how to and where configure the code:
syslog {
procid => "Nagios"
facility => 'daemon'
host => '10.50.121.180'
port => '514'
protocol => 'tcp'
severity => 'informational'
}
One more question, Can Nagios LS analyze and filter the collected syslog and then send useful syslog data to Splunk ? How dose it work ? You know, too many useless logs will cost too much on Splunk.
Re: how can NLS send syslog data to splunk
The output can be configured under Configure > Global (All Instances) > Global Config . Click the "Show Outputs" in the top right corner and then Add Output > Custom. Give it a name("Splunk Output" for example) and paste the output config.
You can use logic to only send specific data. For example, to send only logs from a client with an IP of 192.168.2.3:
https://www.elastic.co/guide/en/logstas ... ation.html and https://www.elastic.co/guide/en/logstas ... mples.html have more details on logstash configuration.
You can use logic to only send specific data. For example, to send only logs from a client with an IP of 192.168.2.3:
Code: Select all
if [host] == "192.168.2.3"{
syslog {
procid => "Nagios"
facility => 'daemon'
host => '10.50.121.180'
port => '514'
protocol => 'tcp'
severity => 'informational'
}
}
As of May 25th, 2018, all communications with Nagios Enterprises and its employees are covered under our new Privacy Policy.
Re: how can NLS send syslog data to splunk
@cdienger
host => '10.50.121.180'
Is 10.50.121.180 a splunk address ?
port => '514'
protocol => 'tcp'
"514" is a UDP port, should I change the protocol to udp ?
host => '10.50.121.180'
Is 10.50.121.180 a splunk address ?
port => '514'
protocol => 'tcp'
"514" is a UDP port, should I change the protocol to udp ?
Re: how can NLS send syslog data to splunk
@cdienger is out for the week, but I'll be happy to try and assist.@cdienger
host => '10.50.121.180'
Is 10.50.121.180 a splunk address ?
port => '514'
protocol => 'tcp'
"514" is a UDP port, should I change the protocol to udp ?
Yes, 10.50.121.180 should be your Splunk address.
You're right that 514 is a UDP port, but I'm not entirely sure if the protocol should be changed.
In that case, you should switch it to 'udp' and see if the output filter works. If not change it back to 'tcp' and test it again.
Let us know if you have any more questions.
Re: how can NLS send syslog data to splunk
@kyang
I have tried both udp and tcp, but Splunk received nothing. Is there any config missed ? Besides, Is there any network requirement between NLS and Splunk ?
I have tried both udp and tcp, but Splunk received nothing. Is there any config missed ? Besides, Is there any network requirement between NLS and Splunk ?
- tacolover101
- Posts: 432
- Joined: Mon Apr 10, 2017 11:55 am
Re: how can NLS send syslog data to splunk
how are you trying to configure the sending? there are many options i see viable here:hyacinth wrote:@kyang
I have tried both udp and tcp, but Splunk received nothing. Is there any config missed ? Besides, Is there any network requirement between NLS and Splunk ?
1. splunk forwarder
2. NLS output (which is the code you're seeing above, by @mcapra)
3. syslog (using built in rsyslog)
-
- DevOps Engineer
- Posts: 19396
- Joined: Tue Nov 15, 2011 3:11 pm
- Location: Nagios Enterprises
- Contact:
Re: how can NLS send syslog data to splunk
You must pardon our ignorance, but we are not familiar with configuring Splunk, nor how you have configured your version of Splunk.hyacinth wrote:@kyang
I have tried both udp and tcp, but Splunk received nothing. Is there any config missed ? Besides, Is there any network requirement between NLS and Splunk ?
These setups are are hypothetical assuming you have splunk listening on the port and protocol specified, only you know that.
As for the config, it might help if we say yours from the Nagios Log Server, please run the following
Code: Select all
cat /usr/local/nagioslogserver/logstash/etc/conf.d/*