Generic syslog building block
The rsyslog config below realises a reusable building block to onboard syslog data, for example into Splunk. It assumes an on-prem enterprise environment and uses the file system as a buffer/queue to decouple syslog senders from a receiver like Splunk Universal Forwarder (UF). This way you can restart Splunk UF without any data loss.
The following four configuration files ensure:
- Reception of syslog into one log file for every source IP address.
- Fitness for a high volume syslog setup by having rsyslog NOT throttle
- Least privilege for Splunk UF by having rsyslog create files with appropriate umask and group
- Retention of all log files for 1 day to prevent availability issues from "disk full" scenarios