Skip to content

Vendor - Splunk

Product - Splunk Connect for Syslog (SC4S)

Ref Link
Splunk Add-on https://splunkbase.splunk.com/app/4740/
Product Manual https://splunk-connect-for-syslog.readthedocs.io/en/latest/

Sourcetypes

sourcetype notes
sc4s:events Internal events from the SC4S container and underlying syslog-ng process
sc4s:metrics syslog-ng operational metrics that will be delivered directly to a metrics index in Splunk

Sourcetype and Index Configuration

key sourcetype index notes
sc4s_events all main none
sc4s_metrics all em_metrics none

Filter type

SC4S events and metrics are generated automatically and no specific ports or filters need to be configured for the collection of this data.

Setup and Configuration

  • No specific requirements are required for the collection of sc4s internal events.
  • Metrics data is collected by default as traditional events; use of Splunk Metrics is enabled by an opt-in set by the variable SC4S_DEST_SPLUNK_SC4S_METRICS_HEC. See the “Options” section below for details.

Options

Variable default description
SC4S_DEST_SPLUNK_SC4S_METRICS_HEC event event produce metrics as plain text events; single produce metrics using Splunk Enterprise 7.3 single metrics format; multi produce metrics using Splunk Enterprise 8.x multi metric format
SC4S_SOURCE_MARK_MESSAGE_NULLQUEUE yes (yes

Verification

SC4S will generate versioning events at startup. These startup events can be used to validate HEC is set up properly on the Splunk side.

index=<asconfigured> sourcetype=sc4s:events | stats count by host

Metrics can be observed via the “Analytics–>Metrics” navigation in the Search and Reporting app in Splunk. * NOTE: The presentation of metrics is undergoing active development; the delivery of metrics is currently considered an experimental feature.