If I install the splunk forwarder, I can get the remote data into my splunk install, and index my logs, and searching is great. But I have a number of router devices and other devices that run syslog, and can export their logs somewhere.
How can I configure Splunk to receive these logs, or is there some other workaround to be used?
In the Splunk indexer's inputs configuration, you'll want to configure a UDP listener on port 514, with the type set to syslog (which allows it to figure out some of the default syslog fields) and the host set to the source of the traffic (which allows it to set the host field for the log items appropriately).
Once this is done, any standard syslog device can send data to the Splunk indexer, and it will be happily accepted by Splunk.
There are quite a few articles online on how to set up Splunk to accept syslog connections. Here is one that I found with a simple Google search.
You basically just go into Splunk's management console and tell it to accept connections on X port from Y machine. That basically tells Splunk to accept those connections. Now you just have to go to each device and point that system's syslog to the Splunk IP on the correct port.
FYI - The Google search I used was: configure splunk to accept syslog
I know this is an old thread, but just commenting for anyone else who stumbles on it. The recommended approach is to funnel your syslog data through a syslog server like syslog-ng or Rsyslog. Then use a Splunk Universal Forwarder to monitor the log files and send off to your indexing layer. There are several reasons it is not recommended to just open a network port on a Splunk forwarder/indexer. Firstly being that UDP is stateless, and anytime Splunk has to be restarted, that data is just lost. And Splunk has to be restarted essentially anytime a configuration file is modigied, or an app is installed. Secondly, Splunk would have to be running as root to accept traffic on ports lower than 1024 and this is against best practice. It also violates many companies security policies.
What I would to is a two step process. I would create a central syslog/syslog-ng server that can coalesce all your routers and other devices logs via syslog. Then, on that central syslog/syslog-ng server, run the splunk forwarder, configure it to tail the appropriate syslog file or files you configure, and forward that data to your central splunk server for indexing.
One other approach would be to make the syslog/syslog-ng server the same server as your central splunk. That would eliminate one forwarding step.
Good luck!
