Vendor - HAProxy
Product
| Ref |
Link |
| Splunk Add-on |
https://splunkbase.splunk.com/app/3135/ |
Sourcetypes
| sourcetype |
notes |
| haproxy:tcp |
Default syslog format |
| haproxy:splunk:http |
Splunk’s documented custom format. Note: detection is based on client_ip prefix in message |
Index Configuration
| key |
index |
notes |
| haproxy_syslog |
netlb |
none |
Filter type
MSG Parse: This filter parses message content
Options
| Variable |
default |
description |
| SC4S_LISTEN_HAPROXY_SYSLOG_RFC6587_PORT |
empty string |
Enable a UDP port for this specific vendor product using a comma-separated list of port numbers |
| SC4S_LISTEN_HAPROXY_SYSLOG_UDP_PORT |
empty string |
Enable a UDP port for this specific vendor product using a comma-separated list of port numbers |
| SC4S_ARCHIVE_HAPROXY_SYSLOG |
no |
Enable archive to disk for this specific source |
| SC4S_DEST_HAPROXY_SYSLOG_HEC |
no |
When Splunk HEC is disabled globally set to yes to enable this specific source |
Verification
An active site will generate frequent events use the following search to check for new events
Verify timestamp, and host values match as expected
index=<asconfigured> (sourcetype=haproxy*")