A couple of other things to consider:
If you forwarded everything first to ELSA via syslog, and then to
Splunk conditionally, you could use ELSA for your more verbose,
"debug" logs, and Splunk for more important ones, letting you pay for
just the bare amount of data to index for your Splunk licensing.
You can have Splunk forward to ELSA as outlined in the link above.
However, ELSA uses the sender's IP address for the "host" field, so
the host field will be incorrect if received directly from Splunk.
But, your option sounds really good ... Can I configure under ELSA (or
maybe syslog) some rewrite rules to forward data to splunk server with
the correct hostname?? The idea is:
Some syslog device -----> SplunkUniversalForwarder (or rsyslog) ---->
ELSA ----> Splunk
So, if your syslog-ng.conf for ELSA as a source "s_network" like this:
source s_network { udp(); tcp(); };
Add a Splunk destination:
destination d_splunk { udp("my.splunk.server" port(514)); };
# Add the log statement:
log {
source(s_network);
log { destination(d_splunk); }
log {
# ELSA specific rewrites, parser, etc.
destination(d_elsa);
};
};
This will forward everything on to Splunk completely unchanged, so it
should receive just fine.
On the other hand, I will install ELSA in a RHEL cluster using RedHat
Cluster Suite (RHCS)... Do you know some type of problem that I need
to know using this type of infrastructure??
Thanks for your help Martin.
ELSA will not work with rsyslog as it uses syslog-ng's advanced
pattern-db fast pattern matcher to process logs. However, the
currently installed rsyslog will not be a problem as ELSA will run in
addition to it. The install.sh referred to in the quickstart doc will
download and compile syslog-ng for you on a RedHat system and it can
run alongside the stock rsyslog.
In addition, you can certainly use rsyslog to forward to ELSA or have
rsyslog be somewhere in the chain, you just have to have syslog-ng at
the end of the chain to give its logs to ELSA. I have an example of
how to use rsyslog to forward flat files on my blog here:
http://ossectools.blogspot.com/2011/09/bro-quickstart-cluster-edition.html
.
> On the other hand, I will install ELSA in a RHEL cluster using RedHat
> Cluster Suite (RHCS)... Do you know some type of problem that I need
> to know using this type of infrastructure??
There shouldn't be any services that require the cluster components,
but ELSA should install just fine on RedHat with the install.sh
script. Let me know if you run into any problems.