Can Unraid act as a syslog server?


Recommended Posts

  • 3 weeks later...

I'm having an issue with this. I have Bro running on a remote Raspberry Pi and I'm trying to send the logs to the unraid. Everything is set up fine on the RPi, including syslog-ng, which is configured to send my logs over. I had it working just fine in the past with an ELK setup on my unraid, but I need to get it to work with the Splunk docker, as Splunk is a better option. 

 

I installed the bro add-on in the Splunk docker and configured the inputs.conf file as instructed in documentation, then in Splunk settings I configured to receive on TCP port 601, and told my RPi syslog config to send to 601. I'm currently getting nothing in Splunk.

 

I was hoping to use a "syslog collector" as an intermediary, so I installed a syslog-ng docker and configured it to accept the logs and forward on to Splunk, but that wasn't working either.

 

Have any of you gotten it to work with a similar setup? Is it because I need a universal forwarder? I figured just using syslog-ng would work...

Link to comment
On 2/22/2019 at 6:16 PM, eaglephantom said:

I'm having an issue with this. I have Bro running on a remote Raspberry Pi and I'm trying to send the logs to the unraid. Everything is set up fine on the RPi, including syslog-ng, which is configured to send my logs over. I had it working just fine in the past with an ELK setup on my unraid, but I need to get it to work with the Splunk docker, as Splunk is a better option. 

 

I installed the bro add-on in the Splunk docker and configured the inputs.conf file as instructed in documentation, then in Splunk settings I configured to receive on TCP port 601, and told my RPi syslog config to send to 601. I'm currently getting nothing in Splunk.

 

I was hoping to use a "syslog collector" as an intermediary, so I installed a syslog-ng docker and configured it to accept the logs and forward on to Splunk, but that wasn't working either.

 

Have any of you gotten it to work with a similar setup? Is it because I need a universal forwarder? I figured just using syslog-ng would work...

In the past, I ran a Spunk docker. And I could forward stuff from unraid to Splunk easily. I just had to select a port and traffic type in Splunk. And the appropriate changes in rsyslog on unraid. Not sure if this is what you're after. But in general, Splunk should be easy to setup to accept/parse syslog.

Link to comment
  • 2 weeks later...
On 2/22/2019 at 6:16 PM, eaglephantom said:

I was hoping to use a "syslog collector" as an intermediary, so I installed a syslog-ng docker and configured it to accept the logs and forward on to Splunk, but that wasn't working either.

Here's how I have it set up. In my /boot/config/go file, I've added this to forward traffic to a docker listening on port 1514:

/usr/bin/sed --in-place "s/^#\*\.\* \@\@/\*\.\* @localhost:514/" /etc/rsyslog.conf
# Reload the rsyslog daemon
/etc/rc.d/rc.rsyslogd reload

You can run it by hand if you don't want to reboot your server (/config/boot/go executes after boot). That line forwards data to my local Splunk docker on UDP:1514.

 

As a bonus, here's my docker-compose file for Splunk:

version: '2'
services:
    splunk:
       image: splunk/splunk:latest
       hostname: splunk
       environment:
        SPLUNK_START_ARGS: --accept-license --answer-yes
        SPLUNK_ENABLE_LISTEN: 9997
        SPLUNK_ADD: tcp 1514
       volumes:
        - /mnt/cache/appdata/splunk/etc:/opt/splunk/etc
        - /mnt/cache/appdata/splunk/var:/opt/splunk/var
       ports:
        - "8000:8000"
#        - "9997:9997"
#        - "8088:8088"
#        - "1514:1514"
        - "514:1514/udp"
       restart: always

If you have Nerd tools installed, make sure docker-compose is there. Then you just bring it up by just running in the directory where you placed the docker-compose.yml file.

docker-compose up -d

You should still log in to Splunk on port 8000, and make sure you and see your data. If not, let us know.

You can test if data is getting to Splunk by running this from any Linux/Mac/unRAID host, and then typing a line like, "Testing!"

nc -u localhost 514

Hope that helps!

  • Thanks 1
Link to comment
  • 4 weeks later...
  • 1 month later...
On 4/1/2019 at 6:01 PM, eaglephantom said:

Thanks, and sorry for the late reply.

 

Where are you storing your log data, just on your unraid? Or are you simply pointing logs at your unraid's splunk instance rather than storing them in a separate location on the unraid?

The splunk instance takes the logs, and stores in appdata on the cache drive. I could careless if I lost the logs, but useful to have sometimes in troubleshooting things.

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.