Not able to send logs to my syslog-ng server

caesim · December 22, 2020, 3:53pm

Hi eveyone, I'm try to send pihole.log to my syslog-ng server through an splunk universal forwarder. Why through an UF, because at the end I wanna have the logs into my Splunk environment.

Details about my system:
I configured following files:

inputs.conf

[monitor:///var/log/pihole.log]
disabled = false
sourcetype = pihole:log

output.conf

[tcpout]
defaultGroup = default-autolb-group
[tcpout:default-autolb-group]
server = 10.20.30.15:514
[tcpout-server://10.20.30.15:514]

props.conf

[dnsmasq]
NO_BINARY_CHECK = true
DATETIME_CONFIG =
TIME_FORMAT = %b %d %H:%M:%S

The issue I'm gonna get is that the log file on the syslog side looks like this:

Dec 22 12:58:04 10.20.30.5 @
Dec 22 12:58:04 10.20.30.5
Dec 22 12:58:04 10.20.30.5 __s2s_capabilities
Dec 22 12:58:04 10.20.30.5 ack=0;compression=0
Dec 22 12:58:04 10.20.30.5 _raw
Dec 22 12:58:24 10.20.30.5 --splunk-cooked-mode-v3--
Dec 22 12:58:24 10.20.30.5 pihole
Dec 22 12:58:24 10.20.30.5 8089
Dec 22 12:58:24 10.20.30.5 @
Dec 22 12:58:24 10.20.30.5
Dec 22 12:58:24 10.20.30.5 __s2s_capabilities
Dec 22 12:58:24 10.20.30.5 ack=0;compression=0
Dec 22 12:58:24 10.20.30.5 _raw

which is not really much

Do you have a hint for me to solve this issue? I'd be very happy

DanSchaper · December 22, 2020, 7:38pm

Should those be the same? Are you declaring what pihole type is somewhere?

jfb · December 22, 2020, 8:01pm

Have you considered moving the log to the new location?

Bucking_Horn · December 22, 2020, 8:08pm

I've not used remote logging myself, but I recall a brief conversation with a user involving remote syslogs. Maybe @shoka would be able to help you out if he's still hanging out around here.

system · January 12, 2021, 8:08pm

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.