MONITOR SYSLOG-NG WITH SPLUNK! [BETA]

Shoutout to Automine, l00py & the CAST Team.

Still under construction.

Syslog-NG config for stats collection

#global
stats_freq(300);
stats_level(2);

#source
};

source s_local {
internal(); # syslog-ng internal logs

};

#destination
destination d_logstats { file(“/var/log/sng_logs/$HOST/logstats.log” perm(0775) create_dirs(yes));};

#log
log { source(s_local); filter (f_logstats); destination(d_logstats); };

Output of Syslog-NG stats collection

2016-07-29T15:18:23+00:00 n00b-splkufwd-03 syslog-ng[9673]: Log statistics; processed=’src.host(n00b-splkufwd-03)=1204′, stamp=’src.host(n00b-splkufwd-03)=1469805421′, processed=’src.host(n00bfirewall)=229′, stamp=’src.host(n00bfirewall)=1469805499′, processed=’center(received)=19′, processed=’src.internal(s_local#0)=19′, stamp=’src.internal(s_local#0)=1469805203′, dropped=’dst.file(d_logstats#0,/var/log/sng_logs/n00b-splkufwd-03/logstats.log)=0′, processed=’dst.file(d_logstats#0,/var/log/sng_logs/n00b-splkufwd-03/logstats.log)=17′, stored=’dst.file(d_logstats#0,/var/log/sng_logs/n00b-splkufwd-03/logstats.log)=0′, dropped=’dst.file(d_catchall#0,/var/log/sng_catchall/n00bfirewall/n00bfirewall.log)=0′, processed=’dst.file(d_catchall#0,/var/log/sng_catchall/n00bfirewall/n00bfirewall.log)=229′, stored=’dst.file(d_catchall#0,/var/log/sng_catchall/n00bfirewall/n00bfirewall.log)=0′, processed=’destination(d_logstats)=17′, processed=’source(s_catchall)=0′, processed=’center(queued)=1450′, processed=’src.none()=0′, stamp=’src.none()=0′, dropped=’dst.file(d_file#0,/var/log/messages)=0′,

inputs.conf

monitor:///var/log/sng_logs/.../logstats.log] disabled = 0
followTail = 0
host_segment = 4
index = n00blab
sourcetype = syslog

transforms.conf

[syslogng_stats] REGEX = \s(?[a-z]+='[^’]+)=(?[^’]+)

props.conf

[syslog] KVMODE = NONE
REPORT-syslogng_stats = syslogng_stats

Search

index=n00blab sourcetype=syslog
| reverse
| streamstats window=2 current=t range(processed_*) as processed_*_delta, range(dropped_*) as dropped_*_delta, range(stored_*) AS stored_*_delta
| timechart span=5m avg(*_delta) as *_delta

Screen Shot 2016-07-29 at 5.25.37 PM

 

 

Leave a Reply

Your email address will not be published. Required fields are marked *