Skip to content Skip to site navigation Skip to service navigation

Onboard Logs via the Splunk syslog Service

Before sending logs to Splunk, please see the log on-boarding guidelines from ISO as following:

  1. Use the Splunk Universal Forwarder
  2. Use the encrypted Syslog service ONLY if you cannot use the Splunk Universal Forwarder
  3. Use the unencrypted Syslog service ONLY if you cannot use the Splunk Universal Forwarder AND the encrypted Syslog service

 

For the logs on devices, appliances, and cloud-based applications where Splunk Universal Forwarder cannot be installed, the logs can be sent to Splunk via the Splunk syslog service.

  • Encrypted syslog service (server: uitsyslog02 (171.67.54.23), port: 10514).  
    Using this service, the traffic transmitted between your hosts and the syslog server(uitsyslog02) will be encrypted. It’s recommended to use this service. 
     
  • Un-Encrypted syslog service (server: uitsyslog01 (171.67.54.20), port: 514)
    Using this service, the traffic transmitted between your hosts and the syslog server(uitsyslog01) will be NOT be encrypted. Use this syslog service ONLY if you cannot use the encrypted syslog service.

Overview of syslog Setup Process

Accessing and setting up the Splunk syslog service will require three parts as outlined below. Detailed instructions for each part follows.

  1. Request access to the Splunk syslog service.
  2. Configure your devices to send logs to the Splunk syslog service.
  3. Validate that the data is onboarding on the Splunk console.

Part 1: Request access to the Splunk syslog service

To request access to the Splunk syslog service, please submit a Help request that includes the following information:

  • Specify which Splunk syslog service you want to use: uitsyslog01 or uitsyslog2.  If you select uitsyslog01,  please state why the encrypted syslog service cannot be used.
  • The name and IP address of the source servers.
  • The application or service name of the logs.
  • The SUNet IDs or work groups who need to access the index.
  • Specify any Splunk applications or add-ons as needed.
  • Indicate if the daily log volume is more than 100 MB/day.

Part 2: Configure your devices to send logs to the Splunk syslog service

  1. Configure your devices, appliances, and cloud-based applications to forward logs to the Splunk syslog service (uitsyslog01 or uitsyslog02). If uitsyslog02 is selected, the Splunk team will provide you with a certificate to configure your devices to trust the Splunk syslog service.
  2. If you have outbound firewall restriction in your local OS firewall or your departmental firewall, you might need to adjust the rules to permit outgoing syslog connections.

Part 3: Validate the data onboarding on splunk console

  1. The Splunk team will confirm if logs are getting to the Splunk syslog server.
  2. Once the logs are onboarded, the Splunk team will notify you and provide you with the index name.
  3. Access https://susplunk.stanford.edu/ and run the following query on the Splunk console, replacing with the index name provided to you by the Splunk team.
    	index=<yourindex>
    
Last modified June 26, 2018