<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic multiple syslog servers question in Getting Data In</title>
    <link>https://community.splunk.com/t5/Getting-Data-In/multiple-syslog-servers-question/m-p/62476#M12499</link>
    <description>&lt;P&gt;Hi everyone, &lt;/P&gt;

&lt;P&gt;I have a question about setting up Splunk to record syslog messages from 2 different syslog servers.&lt;/P&gt;

&lt;P&gt;I am using the basic Splunk - no extra licenses - and its running on Windows 7 64bit.&lt;/P&gt;

&lt;P&gt;Here is my setup:&lt;/P&gt;

&lt;P&gt;I have a border router, and its inside IP address is 10.0.0.1.&lt;/P&gt;

&lt;P&gt;Behind the border router I have an ASA 5505 for the firewall - its inside IP is 192.168.1.1.&lt;/P&gt;

&lt;P&gt;I want to collect the syslog messages from both of these devices.  I am using UDP 514 for Syslog on both the router and firewall.&lt;/P&gt;

&lt;P&gt;I am able to set up Splunk to listen and record everything that is coming into UDP 514.....which gives me the syslog data for both the router and firewall all mixed together.&lt;/P&gt;

&lt;P&gt;I would prefer if I could have Splunk listen for and record syslog for my router.....and separately, listen to and record syslog data from my firewall.  That way I could have labels on each - one for the router, and one for the firewall, which would make it easier to distinguish between the router and firewall's syslog messages.&lt;/P&gt;

&lt;P&gt;The problem is I cant figure out how to set it up to do this.&lt;/P&gt;

&lt;P&gt;About the only thing I can think of is to keep the router's syslog coming from UDP 514, while changing the firewall so it uses a different UDP port for syslog.&lt;/P&gt;

&lt;P&gt;IS that the only option that I have?  Or is there a more elegant solution out there?&lt;/P&gt;

&lt;P&gt;Thanks in advance for your help....&lt;/P&gt;

&lt;P&gt;Mike&lt;/P&gt;</description>
    <pubDate>Tue, 29 May 2012 17:50:27 GMT</pubDate>
    <dc:creator>boeckelr</dc:creator>
    <dc:date>2012-05-29T17:50:27Z</dc:date>
    <item>
      <title>multiple syslog servers question</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/multiple-syslog-servers-question/m-p/62476#M12499</link>
      <description>&lt;P&gt;Hi everyone, &lt;/P&gt;

&lt;P&gt;I have a question about setting up Splunk to record syslog messages from 2 different syslog servers.&lt;/P&gt;

&lt;P&gt;I am using the basic Splunk - no extra licenses - and its running on Windows 7 64bit.&lt;/P&gt;

&lt;P&gt;Here is my setup:&lt;/P&gt;

&lt;P&gt;I have a border router, and its inside IP address is 10.0.0.1.&lt;/P&gt;

&lt;P&gt;Behind the border router I have an ASA 5505 for the firewall - its inside IP is 192.168.1.1.&lt;/P&gt;

&lt;P&gt;I want to collect the syslog messages from both of these devices.  I am using UDP 514 for Syslog on both the router and firewall.&lt;/P&gt;

&lt;P&gt;I am able to set up Splunk to listen and record everything that is coming into UDP 514.....which gives me the syslog data for both the router and firewall all mixed together.&lt;/P&gt;

&lt;P&gt;I would prefer if I could have Splunk listen for and record syslog for my router.....and separately, listen to and record syslog data from my firewall.  That way I could have labels on each - one for the router, and one for the firewall, which would make it easier to distinguish between the router and firewall's syslog messages.&lt;/P&gt;

&lt;P&gt;The problem is I cant figure out how to set it up to do this.&lt;/P&gt;

&lt;P&gt;About the only thing I can think of is to keep the router's syslog coming from UDP 514, while changing the firewall so it uses a different UDP port for syslog.&lt;/P&gt;

&lt;P&gt;IS that the only option that I have?  Or is there a more elegant solution out there?&lt;/P&gt;

&lt;P&gt;Thanks in advance for your help....&lt;/P&gt;

&lt;P&gt;Mike&lt;/P&gt;</description>
      <pubDate>Tue, 29 May 2012 17:50:27 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/multiple-syslog-servers-question/m-p/62476#M12499</guid>
      <dc:creator>boeckelr</dc:creator>
      <dc:date>2012-05-29T17:50:27Z</dc:date>
    </item>
    <item>
      <title>Re: multiple syslog servers question</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/multiple-syslog-servers-question/m-p/62477#M12500</link>
      <description>&lt;P&gt;You can take the UDP input and separate those formats into separate sourcetypes.&lt;/P&gt;

&lt;P&gt;&lt;A href="http://docs.splunk.com/Documentation/Splunk/latest/Data/Advancedsourcetypeoverrides"&gt;http://docs.splunk.com/Documentation/Splunk/latest/Data/Advancedsourcetypeoverrides&lt;/A&gt;&lt;/P&gt;

&lt;P&gt;This previous answer will probably be helpful to you. &lt;/P&gt;

&lt;P&gt;&lt;A href="http://splunk-base.splunk.com/answers/6917/different-sourcetypes-for-different-syslog-hosts"&gt;http://splunk-base.splunk.com/answers/6917/different-sourcetypes-for-different-syslog-hosts&lt;/A&gt;&lt;/P&gt;</description>
      <pubDate>Tue, 29 May 2012 18:01:09 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/multiple-syslog-servers-question/m-p/62477#M12500</guid>
      <dc:creator>sdaniels</dc:creator>
      <dc:date>2012-05-29T18:01:09Z</dc:date>
    </item>
  </channel>
</rss>

