Skip to content

Install Docker Desktop

Refer to your Docker documentation to set up your Docker Desktop.

Perform your initial SC4S configuration

You can run SC4S with docker-compose, or in the command line using the command docker run. Both options are described in this topic.

  1. Create a directory on the server for local configurations and disk buffering. Make it available to all administrators, for example: /opt/sc4s/. If you are using docker-compose, create a docker-compose.yml file in this directory using the template provided here. By default, the latest SC4S image is automatically downloaded at each restart. As a best practice, check back here regularly for any changes made to the latest template is incorporated into production before you relaunch with Docker Compose.
version: "3.7"
services:
  sc4s:
    deploy:
      replicas: 2
      restart_policy:
        condition: on-failure
    image: ghcr.io/splunk/splunk-connect-for-syslog/container3:latest
    ports:
       - target: 514
         published: 514
         protocol: tcp
       - target: 514
         published: 514
         protocol: udp
       - target: 601
         published: 601
         protocol: tcp
       - target: 6514
         published: 6514
         protocol: tcp
    env_file:
      - /opt/sc4s/env_file
    volumes:
      - /opt/sc4s/local:/etc/syslog-ng/conf.d/local:z
      - splunk-sc4s-var:/var/lib/syslog-ng
# Uncomment the following line if local disk archiving is desired
#     - /opt/sc4s/archive:/var/lib/syslog-ng/archive:z
# Map location of TLS custom TLS
#     - /opt/sc4s/tls:/etc/syslog-ng/tls:z

volumes:
  splunk-sc4s-var:
  1. In Docker, set the /opt/sc4s folder as shared.
  2. Create a local volume that will contain the disk buffer files in the event of a communication failure to the upstream destinations. This volume also keeps track of the state of syslog-ng between restarts, and in particular the state of the disk buffer. Be sure to account for disk space requirements for the Docker volume. This volume is located in /var/lib/docker/volumes/ and could grow significantly if there is an extended outage to the SC4S destinations. See SC4S Disk Buffer Configuration in the Configuration topic for more information.
sudo docker volume create splunk-sc4s-var

  1. Create the subdirectories: /opt/sc4s/local, /opt/sc4s/archive, and /opt/sc4s/tls. If you are using the docker-compose.yml file, make sure these directories match the volume mounts specified indocker-compose.yml.

  2. Create a file named /opt/sc4s/env_file.

SC4S_DEST_SPLUNK_HEC_DEFAULT_URL=https://your.splunk.instance:8088
SC4S_DEST_SPLUNK_HEC_DEFAULT_TOKEN=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
#Uncomment the following line if using untrusted SSL certificates
#SC4S_DEST_SPLUNK_HEC_DEFAULT_TLS_VERIFY=no
6. Update the following environment variables and values to /opt/sc4s/env_file:

  • Update SC4S_DEST_SPLUNK_HEC_DEFAULT_URL and SC4S_DEST_SPLUNK_HEC_DEFAULT_TOKEN to reflect the values for your environment. Do not configure HEC Acknowledgement when you deploy the HEC token on the Splunk side; syslog-ng http destination does not support this feature.
  • The default number of SC4S_DEST_SPLUNK_HEC_WORKERS is 10. Consult the community if you feel the number of workers (threads) should deviate from this.

NOTE: Splunk Connect for Syslog defaults to secure configurations. If you are not using trusted SSL certificates, be sure to uncomment the last line in the example above.

For more information about configuration, see Docker and Podman basic configurations and detailed configuration.

Start or restart SC4S

  • You can start SC4S directly if you are not using docker-compose. Be sure to map the listening ports (-p arguments) according to your needs:
docker run -p 514:514 -p 514:514/udp -p 6514:6514 -p 5000-5020:5000-5020 -p 5000-5020:5000-5020/udp \
    --env-file=/opt/sc4s/env_file \
    --name SC4S \
    --rm ghcr.io/splunk/splunk-connect-for-syslog/container3:latest
  • If you are using docker compose, from the catalog where you created compose file execute: 
    docker compose up

Otherwise use docker compose with -f flag pointing to the compose file: 

docker compose up -f /path/to/compose/file/docker-compose.yml

Stop SC4S

If the container is run directly from the CLI, stop the container using the docker stop <containerID> command.

If using docker compose, execute:

docker compose down
or 

docker compose down -f /path/to/compose/file/docker-compose.yml

Validate your configuration

SC4S performs automatic checks to ensure that the container starts properly and that the syntax of the underlying syslog-ng configuration is correct. Once these checks are complete, verify that SC4S is properly communicating with Splunk:

index=* sourcetype=sc4s:events "starting up"

This should yield an event similar to the following when the startup process proceeds normally:

syslog-ng starting up; version='3.28.1'

If you do not see this, try the following steps to troubleshoot:

  1. Check to see that the URL, token, and TLS/SSL settings are correct, and that the appropriate firewall ports are open (8088 or 443).
  2. Check to see that the proper indexes are created in Splunk, and that the token has access to them.
  3. Ensure the proper operation of the load balancer if used.
  4. Check the SC4S startup process running in the container.
docker logs SC4S

You should see events similar to those below in the output:

syslog-ng checking config
sc4s version=v1.36.0
starting goss
starting syslog-ng

If you do not see the output above, see “Troubleshoot SC4S server” and “Troubleshoot resources” sections for more detailed information.