Forwarding logs to splunk/graylog from syslog-ng

0
votes

I want to forward my apache and tomcat logs to my central log server.(splunk/graylog)

I have client systems with syslog-ng running.

How can I forward the logs?

Is it necessary to parse the logs? Can't I forward logs as they are? do I have to edit the apache configuration also?

I was trying to get it done last one week. I had created an another question regarding this. But no hep found. Forwarding log via syslog-ng Anyone please look this.

update1: This is my latest syslog-ng.conf

source s_all {
  internal();
  unix-stream("/dev/log");
  file("/proc/kmsg" program_override("kernel: "));
  file("/var/log/apache/access.log" follow_freq(1) flags(no-parse));
  file("/var/log/apache/error.log" follow_freq(1) flags(no-parse));
};
destination d_splunk {
  udp("ec2-xxx.xxx.xxx.xxx.compute-1.amazonaws.com" port(514));
};
log {
  source(s_all); destination(d_splunk);
};
2
linuxsyslogsplunksyslog-nggraylog2

2 Answers

0
votes

Install an Universal Forwarder to your central log server (I'm assuming this is different box than your Splunk instance). Then monitor the path of your syslog. I don't know syslog-ng that well but the logs should be written so that it contains the hostname in the path somewhere like /var/log/my_host_one/apache/access.log. That way Splunk will use the correct hostname (see host_segment in inputs.conf).

Also to test to make sure your UF is correctly connecting to your main Splunk instance (configured via outputs.conf), try to search the UF's internal logs for index=_internal host=your_uf_host.

0
votes

Hey I recommend you to check ansible ( https://docs.ansible.com/ ) . Instead of doing manually all the time.

    - name: Configure syslog forwarding
  copy:
    content: |
      *.* @localhost:514;RSYSLOG_SyslogProtocol23Format
    dest: /etc/rsyslog.d/30-graylog.conf
    mode: 0644
    owner: root
    group: root
  notify:
    - restart collector
    - restart rsyslog

something like this will solve your problem.