Postby jfedelem » Mon Mar 07, 2016 11:27 pm

I'm trying to get Splunk working with rsyslog on a windows server 2012 box. Its not working and I'm trying to confirm that I've set up the rsyslog service correctly.

I'm trying to capture syslogs from an Adtran Router rsyslog, then read them with Splunk. i have confirmed that the Adtran is sending syslogs on port UDP port 514 to the correct server.

Unfortunately, I'm stuck using a windows server so much of the help data that relates to Linux is not helpful to me.

I think Rsyslog is set up correctly. Here is what I've done.

1. Go under "Services" and find the "syslog server" service I've created. Click "test syslog server". Click "send" under test and it tells me I'm successful. Under the message properties tab, its shows the same syslog facility that I have chosen. local0. Under sourcename, however, it has the server name. Not sure if that's right.
2. Assuming that the service is configured correctly, the ruleset has to be correct. I just took the default rule set and changed the syslog server to the servers local IP.
3. Therefore, I think the rsyslog is set up correctly, but I can't see any logs under C:\Program Files (x86)\RSyslog\Agent or its subfolders.

I think I have rsyslog set up right, but since I can't seem to get splunk connected I'd like to be sure. I've asked over on the splunk forum for their side of things.

Any help for a n00b would be appreciated.
