February 5, 20197 yr Are there any apps (dockers/plugins) that let you setup a syslog server in Unraid? Having some issues with a pfsense box and need to dump logs to a remote server and would prefer not to have to setup a Linux VM just for this.
February 5, 20197 yr Will be in the next rc release: https://forums.unraid.net/topic/55459-add-option-for-remote-syslog-in-webgui/?do=findComment&comment=717992 Edited February 5, 20197 yr by strike
February 5, 20197 yr Author 15 minutes ago, strike said: Will be in the next rc release: https://forums.unraid.net/topic/55459-add-option-for-remote-syslog-in-webgui/?do=findComment&comment=717992 Oh wow, it's going to be in RC3? What timing :D. Thanks.
February 5, 20197 yr I use splunk/splunk:latest docker container. Free version allows 500MB of logs per day I think. It's a bit advanced but parsing logs with it is great!
February 5, 20197 yr Author 9 minutes ago, dee31797 said: I use splunk/splunk:latest docker container. Free version allows 500MB of logs per day I think. It's a bit advanced but parsing logs with it is great! Thanks, I will test this out!
February 23, 20197 yr I'm having an issue with this. I have Bro running on a remote Raspberry Pi and I'm trying to send the logs to the unraid. Everything is set up fine on the RPi, including syslog-ng, which is configured to send my logs over. I had it working just fine in the past with an ELK setup on my unraid, but I need to get it to work with the Splunk docker, as Splunk is a better option. I installed the bro add-on in the Splunk docker and configured the inputs.conf file as instructed in documentation, then in Splunk settings I configured to receive on TCP port 601, and told my RPi syslog config to send to 601. I'm currently getting nothing in Splunk. I was hoping to use a "syslog collector" as an intermediary, so I installed a syslog-ng docker and configured it to accept the logs and forward on to Splunk, but that wasn't working either. Have any of you gotten it to work with a similar setup? Is it because I need a universal forwarder? I figured just using syslog-ng would work...
February 24, 20197 yr On 2/22/2019 at 6:16 PM, eaglephantom said: I'm having an issue with this. I have Bro running on a remote Raspberry Pi and I'm trying to send the logs to the unraid. Everything is set up fine on the RPi, including syslog-ng, which is configured to send my logs over. I had it working just fine in the past with an ELK setup on my unraid, but I need to get it to work with the Splunk docker, as Splunk is a better option. I installed the bro add-on in the Splunk docker and configured the inputs.conf file as instructed in documentation, then in Splunk settings I configured to receive on TCP port 601, and told my RPi syslog config to send to 601. I'm currently getting nothing in Splunk. I was hoping to use a "syslog collector" as an intermediary, so I installed a syslog-ng docker and configured it to accept the logs and forward on to Splunk, but that wasn't working either. Have any of you gotten it to work with a similar setup? Is it because I need a universal forwarder? I figured just using syslog-ng would work... In the past, I ran a Spunk docker. And I could forward stuff from unraid to Splunk easily. I just had to select a port and traffic type in Splunk. And the appropriate changes in rsyslog on unraid. Not sure if this is what you're after. But in general, Splunk should be easy to setup to accept/parse syslog.
March 9, 20197 yr On 2/22/2019 at 6:16 PM, eaglephantom said: I was hoping to use a "syslog collector" as an intermediary, so I installed a syslog-ng docker and configured it to accept the logs and forward on to Splunk, but that wasn't working either. Here's how I have it set up. In my /boot/config/go file, I've added this to forward traffic to a docker listening on port 1514: /usr/bin/sed --in-place "s/^#\*\.\* \@\@/\*\.\* @localhost:514/" /etc/rsyslog.conf # Reload the rsyslog daemon /etc/rc.d/rc.rsyslogd reload You can run it by hand if you don't want to reboot your server (/config/boot/go executes after boot). That line forwards data to my local Splunk docker on UDP:1514. As a bonus, here's my docker-compose file for Splunk: version: '2' services: splunk: image: splunk/splunk:latest hostname: splunk environment: SPLUNK_START_ARGS: --accept-license --answer-yes SPLUNK_ENABLE_LISTEN: 9997 SPLUNK_ADD: tcp 1514 volumes: - /mnt/cache/appdata/splunk/etc:/opt/splunk/etc - /mnt/cache/appdata/splunk/var:/opt/splunk/var ports: - "8000:8000" # - "9997:9997" # - "8088:8088" # - "1514:1514" - "514:1514/udp" restart: always If you have Nerd tools installed, make sure docker-compose is there. Then you just bring it up by just running in the directory where you placed the docker-compose.yml file. docker-compose up -d You should still log in to Splunk on port 8000, and make sure you and see your data. If not, let us know. You can test if data is getting to Splunk by running this from any Linux/Mac/unRAID host, and then typing a line like, "Testing!" nc -u localhost 514 Hope that helps!
April 2, 20197 yr Thanks, and sorry for the late reply. Where are you storing your log data, just on your unraid? Or are you simply pointing logs at your unraid's splunk instance rather than storing them in a separate location on the unraid?
May 28, 20197 yr On 4/1/2019 at 6:01 PM, eaglephantom said: Thanks, and sorry for the late reply. Where are you storing your log data, just on your unraid? Or are you simply pointing logs at your unraid's splunk instance rather than storing them in a separate location on the unraid? The splunk instance takes the logs, and stores in appdata on the cache drive. I could careless if I lost the logs, but useful to have sometimes in troubleshooting things.
Archived
This topic is now archived and is closed to further replies.