< Back to Best Practices

Create syslog-ng rules to send data to Splunk

The information in this topic works with syslog-ng version 2.x. an awesome Splunk user made a long-ago blog post that includes examples of working with syslog-ng version 3.x. note that this blog post also references Splunk version 3.x, but the syslog-ng 3.x foo should be helpful, regardless:

blog post is here: http://piyush.me/2009/06/23/centralized-logging-using-syslog-ng-splunk-indexing-search/

Note FIFO has been deprecated in Splunk so this information is out of date. Current best practice is to save to file from syslog-ng and have splunk monitor those files. Log rotation can then delete the files after a reasonable period.

Syslog-ng ("next generation") goes beyond standard syslog. It accepts and sends both TCP and UDP input and has four types of rules available for its configuration file: source, filter, destintation and log.

As an example, this rule configures a source that reads remote syslog events on port 514 UDP:

source src_udp { udp(ip (0.0.0.0) port(514)); };

Then, add a filter for events that match MSWinEventLog:

filter f_windows { match("MSWinEventLog"); };

Next, add a FIFO destination.

destination winFIFO { pipe("/var/log/splunk/syslog-ng/winFIFO"); };

Finally, this last rule will send all MSWinEventLog events that come in on port 514 to a FIFO from which Splunk can load them at high speed.

log { source(src_udp); filter(f_windows); destination(winFIFO); };

Configure Splunk's syslogFIFO input module to load the events from the FIFO. You can add regular expressions to create meta data values such as severity:: for each event.