Current File : //backups/router/usr/local/share/syslog-ng/include/scl/splunk/splunk.conf
#############################################################################
# Copyright (c) 2023 Attila Szakacs
#
# This program is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License version 2 as published
# by the Free Software Foundation, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
#
# As an additional exemption you are allowed to compile & link against the
# OpenSSL libraries as published by the OpenSSL project. See the file
# COPYING for details.
#
#############################################################################
@requires json-plugin
# https://docs.splunk.com/Documentation/Splunk/9.0.4/RESTREF/RESTinput#services.2Fcollector.2Fraw.2F1.0
block destination splunk_hec_raw(
url()
token()
channel()
default_index("main")
default_source("syslog-ng")
default_sourcetype("syslog")
template("${S_ISODATE} ${HOST} ${MSGHDR}${MSG}\n")
batch_lines(5000)
batch_bytes(4096kB)
batch_timeout(300)
workers(8)
timeout(10)
content_type("text/plain")
extra_headers("")
extra_queries("")
use_system_cert_store(yes)
...)
{
@requires http "The splunk-hec-raw() driver depends on the syslog-ng http module, please install the syslog-ng-mod-http (Debian & derivatives) or the syslog-ng-http (RHEL & co) package"
http(
url("`url`/services/collector/raw/1.0?channel=`channel`&index=`default_index`&source=`default_source`&sourcetype=`default_sourcetype``extra_queries`")
headers(
"Authorization: Splunk `token`"
"Content-Type: `content_type`"
"Connection: keep-alive"
`extra_headers`
)
body(`template`)
batch-lines(`batch_lines`)
batch-bytes(`batch_bytes`)
batch-timeout(`batch_timeout`)
workers(`workers`)
timeout(`timeout`)
use_system_cert_store(`use_system_cert_store`)
`__VARARGS__`
);
};
# https://docs.splunk.com/Documentation/Splunk/9.0.4/RESTREF/RESTinput#services.2Fcollector.2Fevent.2F1.0
block destination splunk_hec_event(
url()
token()
default_index("main")
default_source("syslog-ng")
default_sourcetype("nix:syslog")
index("")
source("")
sourcetype("")
host("${HOST}")
time("${S_UNIXTIME}.${S_MSEC}")
fields("")
event("${MSG}")
batch_lines(5000)
batch_bytes(4096kB)
batch_timeout(300)
workers(8)
timeout(10)
content_type("application/json")
extra_headers("")
extra_queries("")
use_system_cert_store(yes)
...)
{
@requires http "The splunk-hec-event() driver depends on the syslog-ng http module, please install the syslog-ng-mod-http (Debian & derivatives) or the syslog-ng-http (RHEL & co) package"
http(
url("`url`/services/collector/event/1.0?index=`default_index`&source=`default_source`&sourcetype=`default_sourcetype``extra_queries`")
headers(
"Authorization: Splunk `token`"
"Content-Type: `content_type`"
"Connection: keep-alive"
`extra_headers`
)
body('$(format-json --scope none --omit-empty-values
index="`index`"
source="`source`"
sourcetype="`sourcetype`"
host="`host`"
time="`time`"
event="`event`"
fields=$(if ("`fields`" ne "") $(format-flat-json --scope none `fields`) ""))'
)
batch-lines(`batch_lines`)
batch-bytes(`batch_bytes`)
batch-timeout(`batch_timeout`)
timeout(`timeout`)
workers(`workers`)
use_system_cert_store(`use_system_cert_store`)
`__VARARGS__`
);
};
Mini Shell