Using Syslog-ng with Splunk

Overview

A Splunk instance can listen on any port for incoming syslog messages. While this is easy to configure, it’s not considered best practice for getting syslog messages into Splunk. If the splunkd process stops, all syslog messages sent during the downtime would be lost. Additionally, all syslog traffic would stream to a single Splunk instance, which is not always wanted if it can be configured to spread syslog data amongst all indexers.

What is the best practice for getting syslog data into Splunk? The answer is a dedicated syslog server.

Below we discuss the installation, configuration and utilization of syslog-ng as the syslog server for Splunk.

Syslog-ng:

syslog-ng is an open source implementation of the syslog protocol for Unix …

» Continue reading