At this point, you've separated the syslog parts from the Splunk parts, so it makes life so much easier. That will create directories/files like /var/log/remote/10.10.10.1/log.txt. I think you'll need something like this in the syslog-ng config, though obviously sanity check it and make sure it's good for your environment. There are docs and info on why available. Well, we don't probably NEED to reinstall, but if you aren't very attached to the historical data you have, it's certainly a possibility.įirst, though, I think you could try a simpler method.Ĭonfigure syslog-ng (or rsyslog) to save incoming syslog to, say, /var/log/remote//log.txt. Oh, one note: if any of the files are blah/blah/default/nf, you should really REALLY make a copy of the pieces you need into blah/blah/local/nf so they won't get overwritten at next upgrade. Paste back what you've found if you can't figure it out from there. You'll want to copy/paste those to a new set, then change them as appropriate to make them apply to the other host as well. If you edit the file it returns, you hopefully will see a few settings in there for that host. Then you'll know where that host is defined. If it doesn't return anything, then we'll look for the host that DOES work: c:\program files\splunk\bin\splunk cmd btool -debug props list | findstr If you do, GREAT! The file we need to check/change is $splunkhome/etc/system/local/nf. You might get output like: C:\Program Files\Splunk\etc\system\local\nf
#Cisco asa splunk base windows
(from now on, I'll use Windows syntax since I have a windows box open at the moment to copy/paste examples from. opt/splunk/bin/splunk cmd btool -debug props list | grep 10.10.10.1 c:\program files\splunk\bin\splunk cmd btool -debug props list | findstr 10.10.10.1
The following is in a few steps as we narrow down where to look.įirst, run (Windows syntax first, then Linux syntax - you obviously only need one).
I expect then that there are entries we'll need to find. In the former case they're not "findable" but in the latter they are. So we know syslog packets are reaching the Splunk server from that host, and syslog packets are reaching the Splunk server from at least one other host.
0 kommentar(er)
