Chat now with support
Chat with Support

syslog-ng Store Box 7.3.0 - Administration Guide

Preface Introduction The concepts of SSB The Welcome Wizard and the first login Basic settings User management and access control Managing SSB Configuring message sources Storing messages on SSB Forwarding messages from SSB Log paths: routing and processing messages Configuring syslog-ng options Searching log messages Searching the internal messages of SSB Classifying messages with pattern databases The SSB RPC API Monitoring SSB Troubleshooting SSB Security checklist for configuring SSB Glossary

Transport settings for the Splunk destination

This section describes how you can configure the transport settings (HTTP or HTTPS transport) for your Splunk destination.

To configure the transport settings for your Splunk destination

  1. Navigate to Log > Destinations and select to create a new destination.

  2. Select Splunk destination.

    Figure 187: Log > Destinations > <your-splunk-destination > - Creating your new Splunk destination

  3. Select the transport type (HTTP connection settings or HTTPS connection settings) that you want to use for your Splunk destination, then continue configuring the respective connection type settings.

HTTP connection settings

This section describes the HTTP connection settings for your Splunk destination.

After you have set the transport settings for the Splunk destination, and selected the HTTP transport type, you can configure the following:

Figure 188: Log > Destinations > <your-splunk-destination> Transport > HTTP > HTTP connection settings - Configuring the HTTP connection settings for your new Splunk destination

The Splunk HTTP Event Collector (HEC) URL

When configuring the HTTP or HTTPS connection settings for your Splunk destination for syslog-ng Store Box (SSB), you have to configure the HTTP Event Collector (HEC) URL first.

To configure the Splunk HEC URL for your Splunk destination

  1. Navigate to Log > Destinations > <your-splunk-destination>.

  2. Select the Transport type you want to use (HTTP or HTTPS).

  3. Under HTTP connection settings or HTTPS connection settings (depending on your Transport type), enter the Splunk HTTP Event Collector (HEC) URL of your choice.

NOTE: IPv6 addresses are not supported.

Splunk authentication and index settings

After setting the transport settings, and then configuring the Splunk HEC URL for your Splunk destination, you have to configure your Splunk authentication and index settings.

  • To configure your Splunk authentication and index settings

    1. Copy the Splunk HTTP Event Collector token provided by your Splunk deployment into the Token field.

      Because the Splunk HTTP Event Collector token permits SSB to send messages to Splunk, configuring the Token field is required for the Splunk destination.

      For details about setting up and using the Splunk HTTP Event Collector token on your Splunk deployment, see Set up and use HTTP Event Collector in Splunk Web in the Splunk documentation..

    2. Enter the name of the Splunk index where Splunk will store the messages received from SSB into the Index field.

      Configuring the Index field is required for the Splunk destination.

    3. (Optional) Enable Use proxy to use a proxy address while forwarding messages to your Splunk deployment.

    NOTE: When configuring your proxy address, consider the following:

    • Only HTTP proxy type is supported.

    • Authenticated proxy types are not supported.

    • HTTPS connection settings

    This section describes the HTTPS connection settings for your Splunk destination.

    After you have set the transport settings for the Splunk destination, and selected the HTTPS transport type, you can configure the following:

    Figure 189: Log > Destinations > <your-splunk-destination > Transport > HTTPS > HTTPS connection settings - Configuring the HTTPS connection settings for your new Splunk destination

    The Splunk HTTP Event Collector (HEC) URL

    When configuring the HTTP or HTTPS connection settings for your Splunk destination for syslog-ng Store Box (SSB), you have to configure the HTTP Event Collector (HEC) URL first.

    To configure the Splunk HEC URL for your Splunk destination

    1. Navigate to Log > Destinations > <your-splunk-destination>.

    2. Select the Transport type you want to use (HTTP or HTTPS).

    3. Under HTTP connection settings or HTTPS connection settings (depending on your Transport type), enter the Splunk HTTP Event Collector (HEC) URL of your choice.

    NOTE: IPv6 addresses are not supported.

    Splunk authentication and index settings

    After setting the transport settings, and then configuring the Splunk HEC URL for your Splunk destination, you have to configure your Splunk authentication and index settings.

  • To configure your Splunk authentication and index settings

    1. Copy the Splunk HTTP Event Collector token provided by your Splunk deployment into the Token field.

      Because the Splunk HTTP Event Collector token permits SSB to send messages to Splunk, configuring the Token field is required for the Splunk destination.

      For details about setting up and using the Splunk HTTP Event Collector token on your Splunk deployment, see Set up and use HTTP Event Collector in Splunk Web in the Splunk documentation..

    2. Enter the name of the Splunk index where Splunk will store the messages received from SSB into the Index field.

      Configuring the Index field is required for the Splunk destination.

    3. (Optional) Enable Use proxy to use a proxy address while forwarding messages to your Splunk deployment.

    NOTE: When configuring your proxy address, consider the following:

    • Only HTTP proxy type is supported.

    • Authenticated proxy types are not supported.

    • Verification

    After setting the transport settings, configuring the Splunk HEC, then configuring your Splunk authentication and index settings, you can configure your verification settings for your Splunk destination.

    NOTE: Both Peer verification and Client authentication are optional. If you want to use Peer verification for your Splunk destination, consider that the CA certificate must be added under Log > Options > TLS settings before you enable the Peer verification option.

    To configure the verification settings for your Splunk destination

    1. Navigate to Log > Destination > your-splunk-destination > Transport > HTTPS connection settings > Verification.

    2. (Optional) To use the CA certificate that you previously added under Log > Options > TLS settings, enable Peer verification.

    3. (Optional) To use the client authentication method for verification, enable Client authentication, and add your Client X.509 certificate and your Client key.

    JSON message body

    When configuring your Splunk destination for syslog-ng Store Box (SSB), you have to configure JSON message body settings after you finish configuring the Transport settings for the Splunk destination.

    Figure 190: Log > Destinations > <your-splunk-destination> - Configuring the JSON message body for your new Splunk destination

    To configure the JSON message body settings for your Splunk destination

    1. In the Event field, specify the body of the message that SSB sends to your Splunk deployment.

      NOTE: SSB sends the contents of the message body (which will be identical to the value of the ${MSG} macro in a syslog-ng PE configuration) to your Splunk deployment in JSON format.

      Default syntax: ${S_ISODATE} ${HOST} ${MSGHDR}${MSG}\n

    2. In the Time field, specify the timestamp for the message that SSB sends to your Splunk deployment.

      Default syntax: ${S_UNIXTIME}.${S_MSEC}

    3. In the Source type field, specify the same source type that you configured on your Splunk deployment for the Splunk token assigned to this SSB destination.

      Default syntax: .app.name:-syslog

      For details about source types, see Why source types matter in the Splunk online documentation.

    4. In the Host field, specify the hostname for the message that SSB sends to your Splunk deployment.

      NOTE: On your Splunk deployment, the message will appear as it is sent by the host specified in this field.

      Default syntax: ${HOST}

    5. In the Source field, enter the value of the source field configured on your Splunk deployment into the Source field.

      Default value on Splunk deployments: syslog-ng.

    Related Documents

    The document was helpful.

    Select Rating

    I easily found the information I needed.

    Select Rating