https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-for-F5-Networks-Syslog-Logs/m-p/33611#M1329 <P>This will not work in this case. There are actually two different sourcetypes originating from the same host. For the F5, I have both F5:iRule:WebAccess logs and standard syslog logs. The F5:iRule:WebAccess logs are being recognized as they should. They are being sent to a unique port and I have overridden the sourcetype. But, how do I indicate the other type of logs from the same host should be classified with a different sourcetype?</P> <P>Thanks!</P> Wed, 15 May 2013 13:59:20 GMT vragosta 2013-05-15T13:59:20Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-for-F5-Networks-Syslog-Logs/m-p/33609#M1327 <P>All,</P> <P>Is there a particular sourcetype that should be assigned to the F5 syslog logs? Right now, the logs are being forwarded to Splunk over port 514 and are simply being assigned a sourcetype of "udp:514". Also, I'm not certain the format of the logs is correct. Currently, they look like this:</P> <P><STRONG><EM>May 14 16:34:45 10.238.148.22 May 14 16:34:28 AAA-SLDC-LTM3900-2 info logger: [ssl_req][14/May/2013:16:34:28 -0400] 10.238.140.125 TLSv1 AES128-SHA "/xxx/stuff.jsp" 2503</EM></STRONG></P> <P>I was expecting a syslog id to appear as part of the logs, such as something like the following:</P> <P><STRONG><EM>May 13 13:41:12 AAA-SLDC-LTM3900-2 notice sod[6060]: 010c0019:5: Active</EM></STRONG></P> <P>Is it possible all of the logs I am currently receiving simply have no syslog id?</P> <P>Lastly, if the sourcetype is not being auto assigned, is it possible to assign a sourcetype to a subset of logs destined to a particular source? For example, in addition to the F5 syslog logs, I am also forwarding some firewall logs over this port as well. I obviously don't want to force the sourcetype to be the same for everything destined to port 514.</P> <P>Thanks!</P> Tue, 14 May 2013 20:53:27 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-for-F5-Networks-Syslog-Logs/m-p/33609#M1327 vragosta 2013-05-14T20:53:27Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-for-F5-Networks-Syslog-Logs/m-p/33610#M1328 <P>Yes, you can by using your props.conf.</P> <P><CODE></CODE><PRE><CODE><BR /> [host::<STRONG>&lt;IPorHOSTname&gt;</STRONG>]<BR /> sourcetype=<STRONG>&lt;your source type&gt;</STRONG><BR /> </CODE></PRE></P> <P>Additional Reading:</P> <UL> <LI><A href="http://docs.splunk.com/Documentation/Splunk/latest/Data/Advancedsourcetypeoverrides">Advancedsourcetypeoverrides</A></LI> <LI><A href="http://docs.splunk.com/Documentation/Splunk/5.0.2/Data/Configureindex-timefieldextraction">Configureindex-timefieldextraction</A></LI> <LI><A href="http://docs.splunk.com/Documentation/Splunk/5.0.2/Knowledge/Addfieldsatsearchtime">Addfieldsatsearchtime</A></LI> </UL> <P>Hope this helps or gets you started. Dont forget to vote and accept answers that help.</P> <P>Cheers,</P> Wed, 15 May 2013 00:07:22 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-for-F5-Networks-Syslog-Logs/m-p/33610#M1328 bmacias84 2013-05-15T00:07:22Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-for-F5-Networks-Syslog-Logs/m-p/33611#M1329 <P>This will not work in this case. There are actually two different sourcetypes originating from the same host. For the F5, I have both F5:iRule:WebAccess logs and standard syslog logs. The F5:iRule:WebAccess logs are being recognized as they should. They are being sent to a unique port and I have overridden the sourcetype. But, how do I indicate the other type of logs from the same host should be classified with a different sourcetype?</P> <P>Thanks!</P> Wed, 15 May 2013 13:59:20 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-for-F5-Networks-Syslog-Logs/m-p/33611#M1329 vragosta 2013-05-15T13:59:20Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-for-F5-Networks-Syslog-Logs/m-p/33612#M1330 <P>Could you post a couple of samples of both types od syslog data.</P> Wed, 15 May 2013 15:35:49 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-for-F5-Networks-Syslog-Logs/m-p/33612#M1330 bmacias84 2013-05-15T15:35:49Z