Upgrading Splunk Connect for Syslog v2 -> v3

Upgrade process (for version newer than 2.3.0)

In general the upgrade process consists of three steps: - change of container version - restart of service - validation NOTE: Version 3 of SC4S is using alpine linux distribution as base image in opposition to previous versions which used UBI (Red Hat) image.

Docker/Podman

Update container image version

In the service file: /lib/systemd/system/sc4s.service container image reference should be updated to version 3 with latest tag:

[Service]
Environment="SC4S_IMAGE=ghcr.io/splunk/splunk-connect-for-syslog/container3:latest"

Restart sc4s service

Restart the service: sudo systemctl restart sc4s

Validate

After the above command is executed successfully, the following information with the version becomes visible in the container logs: sudo podman logs SC4S for podman or sudo docker logs SC4S for docker. Expected output:

SC4S_ENV_CHECK_HEC: Splunk HEC connection test successful to index=main for sourcetype=sc4s:fallback...
SC4S_ENV_CHECK_HEC: Splunk HEC connection test successful to index=main for sourcetype=sc4s:events...
syslog-ng checking config
sc4s version=3.0.0
starting goss
starting syslog-ng 

If you are upgrading from version lower than 2.3.0 please refer to this guide.