Syslog data to splunk

  • 1
  • Question
  • Updated 4 years ago
I want to send my hivemanager to splunk. I just recently stood up a server to test out splunk and want to know how to get data there. Is is a next, next, finish type thing and just put in the IP address or is there more to the configuration. 

Thanks in advance for any assistance.
Photo of Eddie Clark

Eddie Clark

  • 9 Posts
  • 0 Reply Likes

Posted 4 years ago

  • 1
Photo of Hivefan

Hivefan

  • 23 Posts
  • 4 Reply Likes
Hi Eddie,

Have you checked "Syslog Assignment Settings"  under Configuration > Show Nav > Advanced Configuration > Management Services > Syslog Assignments > New . Let me know if you find it useful.

Regards,
Fan
Photo of Eddie Clark

Eddie Clark

  • 9 Posts
  • 0 Reply Likes
I have it setup but now I need to know how to get data into splunk to search. Full disclosure is that I have not worked much with splunk at all. I will keep trucking along. Thanks again.
Photo of Uli Saur

Uli Saur

  • 26 Posts
  • 1 Reply Like

Hi Eddie,


the data gets via syslog into splunk. As Fan wrote, you have to configure your splunk server as syslog server in your Hivemanager, assign it to a policy and there goes data into your splunk.

In splunk itself you choose the 'app' Search&Reporting and e.g. click on 'Data Summary' where you can see all the hosts that are sending logs to your splunk. Another possibility is to type 'host=10.*' (where 10.* is your AP management network) into the search bar on top of the splunk page... There is also a great help appearing if you type something.

Have fun!

Regards,

Uli

Photo of Eddie Clark

Eddie Clark

  • 9 Posts
  • 0 Reply Likes
Thanks Uli. Now I know how to find out where the data is supposed to go. This helps a lot. I am going to review in Hive Manager the syslog settings. I have the server configures as a splunk server and assigned to the Network policy but there currently isn't any data coming from the APs nor Hive manager. I will keep at it. Thanks again.
Photo of J. Goodnough

J. Goodnough, Champ

  • 266 Posts
  • 32 Reply Likes
can you run a packet capture (probably tcpdump) on the splunk box and see if the traffic is reaching the machine at all?