Vendor - HAProxy¶
Product¶
Ref | Link |
---|---|
Splunk Add-on | https://splunkbase.splunk.com/app/3135/ |
Sourcetypes¶
sourcetype | notes |
---|---|
haproxy:tcp | Default syslog format |
haproxy:splunk:http | Splunk’s documented custom format. Note: detection is based on client_ip prefix in message |
Index Configuration¶
key | index | notes |
---|---|---|
haproxy_syslog | netlb | none |
Filter type¶
MSG Parse: This filter parses message content
Options¶
Variable | default | description |
---|---|---|
SC4S_LISTEN_HAPROXY_SYSLOG_RFC6587_PORT | empty string | Enable a UDP port for this specific vendor product using a comma-separated list of port numbers |
SC4S_LISTEN_HAPROXY_SYSLOG_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using a comma-separated list of port numbers |
SC4S_ARCHIVE_HAPROXY_SYSLOG | no | Enable archive to disk for this specific source |
SC4S_DEST_HAPROXY_SYSLOG_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source |
Verification¶
An active site will generate frequent events use the following search to check for new events
Verify timestamp, and host values match as expected
index=<asconfigured> (sourcetype=haproxy*")