I am trying to see where I have gone wrong with my RSYSLOG configuration and forwarding information for SPLUNK. In our environment we are using SNARE on our end points which is sending the data to a RSYSLOG (Centos) box which runs SPLUNK UF. SPLUNK UF then sends to a single instance of SPLUNK. So far the communications are working. The endpoints are sending to the RSYSLOG box and the RSYSLOG box has been configured to pick up and log events based on a "content match". For example, data coming from "Windows-Security-Auditing" goes to a log file call "windowssecurityevents.log". Data from powershell goes to a log file called "powershell.log". This works fine
I have also configured the SPLUNK UF (inputs.conf) with the following:
[monitor://path/windowssecurityevents.log]
disabled = false
index = winsecevents
sourcetype = winsecevents_syslog
[monitor://path/powershell.log]
disabled = false
index = powershell
sourcetype = powershell_syslog
[monitor://path/OtherLog1.log]
disabled = false
index = OtherLog1
sourcetype = OtherLog1_syslog
[monitor://path/OtherLog2.log]
disabled = false
index = OtherLog2
sourcetype = OtherLog2_syslog
I also ran a command in CentOS to add the forward-server being "./splunk add forward-server 1.1.1.1:9997
I am only able to see logs for 1 log file. The other 3 are not showing in the seperate SPLUNK indexes that I have configured. The log files themselves are growing and I can see my data in RSYSLOG so the problem isn't there. I am trying to see what I need to do with the UF to get it to send the other log information to the relevant index in our single splunk instance.
↧