Objective
This document explains how to configure Versa Director (Linux/Ubuntu level) to forward only OS-level logs (not SD-WAN / Analytics logs) to a Splunk server using syslog.
Background
Versa Director runs on a Linux (Ubuntu-based) system and uses rsyslog for log management.
Default Versa UI/CLI syslog configuration applies only to Versa application logs and does not include full Linux system logs.
To forward Linux logs (e.g., syslog, auth, kernel), configuration must be done at the OS level using rsyslog.
Log Locations on Director
Linux System Logs:
/var/log/syslog
/var/log/auth.log
/var/log/kern.log
Versa Director Application Logs:
/var/log/vnms/
Configuration Steps
Step 1: Access Director CLI
Login via SSH and switch to root:
sudo -i
Step 2: Create rsyslog Configuration File
vi /etc/rsyslog.d/90-splunk.conf
Step 3: Add Syslog Forwarding Rules
Recommended Configuration (Linux logs only):
<-----------Add from below line----------->
# Exclude Versa Director application logs
if $programname startswith 'vnms' then stop
#For TCP port use @@
# Forward Linux system logs to Splunk
auth,authpriv.* @@<SPLUNK_IP>:514
kern.* @@<SPLUNK_IP>:514
syslog.* @@<SPLUNK_IP>:514
daemon.* @@<SPLUNK_IP>:514
#For UDP port use @
# Forward Linux system logs to Splunk
auth,authpriv.* @<SPLUNK_IP>:514
kern.* @<SPLUNK_IP>:514
syslog.* @<SPLUNK_IP>:514
daemon.* @<SPLUNK_IP>:514
Step 4: Restart rsyslog Service
systemctl restart rsyslog
Step 5: Verify Log Forwarding
On Director:
logger "Test log from Versa Director"
On Splunk:
Check incoming logs and verify hostname.
Important Considerations
1. Director UI vs Linux Syslog
UI affects only Versa services; rsyslog controls all Linux logs.
2. High Availability (HA)
Configure on both nodes; logs are node-local.
3. Upgrade Impact
Backup config file from /etc/rsyslog.d/
4. Network Requirements
Ensure connectivity and open ports (514 or 6514).
Outcome
Only Linux OS logs are sent to Splunk, excluding Versa application logs.
For TCP:
For UDP
