topic Re: How to configure Splunk to index syslog data from multiple sources? in Getting Data In

How to configure Splunk to index syslog data from multiple sources?

cbaiocchetti — Fri, 06 Mar 2015 12:28:42 GMT

Hello. First time I'm posting a question, and a relative newb to Splunk so I apologize up front if this has already been asked and answered, or if this is a silly question.

Currently running latest Splunk on Windows server. I have configured a new data input for Syslog on TCP 514, and have configured the input to receive asm_log files from the F5 device in our environment and this is working just fine.

I would now like to add our RSA Security Management as a second source of Syslog data, but I cannot figure out how to add it to the existing Data Input. If I try to add it through the Web interface, I get the error message that the port is already being used (not a big surprise there).

So can anyone tell me where I am going wrong? Is there a better way to go about receiving data from multiple Syslog sources? Any help would be greatly appreciated, as I am really liking Splunk and this is the first significant problem I have encountered.

Thank you in advance and regards,

Chris

Re: How to configure Splunk to index syslog data from multiple sources?

MuS — Fri, 06 Mar 2015 12:37:29 GMT

Hi cbaiocchetti,

the easiest way would be to setup a new UDP port for this new device something like [udp:515] and assign the sourcetype to it. If your new device is not able to send to any different UDP than 514, do so and use some props.conf and transforms.conf voodoo to change the sourcetype to the new one.
Take a look here http://answers.splunk.com/answers/57424/trying-to-override-a-syslog-udp-sourcetype-based-on-a-host-naming-convention-not-working.html to get an idea how it can be done.

cheers, MuS

Re: How to configure Splunk to index syslog data from multiple sources?

Runals — Fri, 06 Mar 2015 12:56:02 GMT

I would second MuS' approach. However my recommendation is if this is going to move into a production state I'd stand up a Linux server to receive syslog data and put a Splunk agent on it to read the output. This gives you some resiliency to hand Splunk restarts/downtime.

Re: How to configure Splunk to index syslog data from multiple sources?

MuS — Fri, 06 Mar 2015 13:06:04 GMT

and to second this as well, here is the related answer about this topic http://answers.splunk.com/answers/144357/why-is-syslog-right-into-splunk-so-bad-wrong.html

Re: How to configure Splunk to index syslog data from multiple sources?

cbaiocchetti — Tue, 10 Mar 2015 15:12:29 GMT

Hi, and thanks to you both for the quick replies. Sorry for taking so long to respond.

I think we'll initially use the UDP/conf file solution. Also appreciate the links, and sorry for not finding them myself.

Regards,

Chris