IamSpartacus Posted February 5, 2019 Share Posted February 5, 2019 Are there any apps (dockers/plugins) that let you setup a syslog server in Unraid? Having some issues with a pfsense box and need to dump logs to a remote server and would prefer not to have to setup a Linux VM just for this. Quote Link to comment
strike Posted February 5, 2019 Share Posted February 5, 2019 (edited) Will be in the next rc release: https://forums.unraid.net/topic/55459-add-option-for-remote-syslog-in-webgui/?do=findComment&comment=717992 Edited February 5, 2019 by strike Quote Link to comment
IamSpartacus Posted February 5, 2019 Author Share Posted February 5, 2019 15 minutes ago, strike said: Will be in the next rc release: https://forums.unraid.net/topic/55459-add-option-for-remote-syslog-in-webgui/?do=findComment&comment=717992 Oh wow, it's going to be in RC3? What timing :D. Thanks. Quote Link to comment
dee31797 Posted February 5, 2019 Share Posted February 5, 2019 I use splunk/splunk:latest docker container. Free version allows 500MB of logs per day I think. It's a bit advanced but parsing logs with it is great! Quote Link to comment
IamSpartacus Posted February 5, 2019 Author Share Posted February 5, 2019 9 minutes ago, dee31797 said: I use splunk/splunk:latest docker container. Free version allows 500MB of logs per day I think. It's a bit advanced but parsing logs with it is great! Thanks, I will test this out! Quote Link to comment
eaglephantom Posted February 23, 2019 Share Posted February 23, 2019 I'm having an issue with this. I have Bro running on a remote Raspberry Pi and I'm trying to send the logs to the unraid. Everything is set up fine on the RPi, including syslog-ng, which is configured to send my logs over. I had it working just fine in the past with an ELK setup on my unraid, but I need to get it to work with the Splunk docker, as Splunk is a better option. I installed the bro add-on in the Splunk docker and configured the inputs.conf file as instructed in documentation, then in Splunk settings I configured to receive on TCP port 601, and told my RPi syslog config to send to 601. I'm currently getting nothing in Splunk. I was hoping to use a "syslog collector" as an intermediary, so I installed a syslog-ng docker and configured it to accept the logs and forward on to Splunk, but that wasn't working either. Have any of you gotten it to work with a similar setup? Is it because I need a universal forwarder? I figured just using syslog-ng would work... Quote Link to comment
daze Posted February 24, 2019 Share Posted February 24, 2019 On 2/22/2019 at 6:16 PM, eaglephantom said: I'm having an issue with this. I have Bro running on a remote Raspberry Pi and I'm trying to send the logs to the unraid. Everything is set up fine on the RPi, including syslog-ng, which is configured to send my logs over. I had it working just fine in the past with an ELK setup on my unraid, but I need to get it to work with the Splunk docker, as Splunk is a better option. I installed the bro add-on in the Splunk docker and configured the inputs.conf file as instructed in documentation, then in Splunk settings I configured to receive on TCP port 601, and told my RPi syslog config to send to 601. I'm currently getting nothing in Splunk. I was hoping to use a "syslog collector" as an intermediary, so I installed a syslog-ng docker and configured it to accept the logs and forward on to Splunk, but that wasn't working either. Have any of you gotten it to work with a similar setup? Is it because I need a universal forwarder? I figured just using syslog-ng would work... In the past, I ran a Spunk docker. And I could forward stuff from unraid to Splunk easily. I just had to select a port and traffic type in Splunk. And the appropriate changes in rsyslog on unraid. Not sure if this is what you're after. But in general, Splunk should be easy to setup to accept/parse syslog. Quote Link to comment
daze Posted March 9, 2019 Share Posted March 9, 2019 On 2/22/2019 at 6:16 PM, eaglephantom said: I was hoping to use a "syslog collector" as an intermediary, so I installed a syslog-ng docker and configured it to accept the logs and forward on to Splunk, but that wasn't working either. Here's how I have it set up. In my /boot/config/go file, I've added this to forward traffic to a docker listening on port 1514: /usr/bin/sed --in-place "s/^#\*\.\* \@\@/\*\.\* @localhost:514/" /etc/rsyslog.conf # Reload the rsyslog daemon /etc/rc.d/rc.rsyslogd reload You can run it by hand if you don't want to reboot your server (/config/boot/go executes after boot). That line forwards data to my local Splunk docker on UDP:1514. As a bonus, here's my docker-compose file for Splunk: version: '2' services: splunk: image: splunk/splunk:latest hostname: splunk environment: SPLUNK_START_ARGS: --accept-license --answer-yes SPLUNK_ENABLE_LISTEN: 9997 SPLUNK_ADD: tcp 1514 volumes: - /mnt/cache/appdata/splunk/etc:/opt/splunk/etc - /mnt/cache/appdata/splunk/var:/opt/splunk/var ports: - "8000:8000" # - "9997:9997" # - "8088:8088" # - "1514:1514" - "514:1514/udp" restart: always If you have Nerd tools installed, make sure docker-compose is there. Then you just bring it up by just running in the directory where you placed the docker-compose.yml file. docker-compose up -d You should still log in to Splunk on port 8000, and make sure you and see your data. If not, let us know. You can test if data is getting to Splunk by running this from any Linux/Mac/unRAID host, and then typing a line like, "Testing!" nc -u localhost 514 Hope that helps! 1 Quote Link to comment
eaglephantom Posted April 2, 2019 Share Posted April 2, 2019 Thanks, and sorry for the late reply. Where are you storing your log data, just on your unraid? Or are you simply pointing logs at your unraid's splunk instance rather than storing them in a separate location on the unraid? Quote Link to comment
daze Posted May 28, 2019 Share Posted May 28, 2019 On 4/1/2019 at 6:01 PM, eaglephantom said: Thanks, and sorry for the late reply. Where are you storing your log data, just on your unraid? Or are you simply pointing logs at your unraid's splunk instance rather than storing them in a separate location on the unraid? The splunk instance takes the logs, and stores in appdata on the cache drive. I could careless if I lost the logs, but useful to have sometimes in troubleshooting things. Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.