Today I’ve been spending a lot of time working in my home lab (as I so often do). And I’m pleased to report that I have learned many new things about the rsyslog package available (and often preinstalled) on most in Linux distributions.
What is rsyslog?
rsyslog can send it’s logs over to virtually any type of syslog server on the market. Including more advanced systems such as Splunk and other SIEM products. That doesn’t come as a surprise to most people.
What may surprise you to learn is that rsyslog can also create it’s own logging facilities and send them over to your logging server. To make things even more impressive, it can also send non-standard log files updates directly to your syslog server.
Today I tried setting up rsyslog to send all my logs from my Minecraft server over to my Splunk server. The perfect combination of how Aetacraft started (with a Minecraft server) and where it is going (using a Splunk server and other enterprise technologies).
I took a picture of Splunk parsing messages from my Minecraft server. As you can see Splunk doesn’t quite parse the Minecraft server output perfectly by default (Which isn’t really a surprise of course, given that you would rarely see a Minecraft server in an enterprise.) But with some slight tweaks in Splunk.