All Apps and Add-ons

Customize inputs.conf Palo Alto - Multiple sources udp:514

wvalente
Explorer

Dear,

I configured the inputs.conf of the palo alto app exactly as the documentation.

However, in addition to the palo alto logs, I get other logs via udp: 514. The configuration in inputs.conf is forwarding all logs via 514 to the pan: log sourcetype.

How could I change only the high-pit logs to the sourcetype pan: log?

0 Karma

panguy
Contributor

https://answers.splunk.com/answers/205815/how-to-configure-different-sourcetypes-for-udp-por.html

You can use the following in your inputs.conf

[udp://SOURCE_IP:PORT]
0 Karma

martin_mueller
SplunkTrust
SplunkTrust

Three options:

Best: let a dedicated syslog daemon receive the data, write to disk, let a universal forwarder read the log files and assign sourcetypes per file.

Bad: make each source use a distinct port.

Bad: keep all sources at one port, define props/transforms to rewrite source types, index, etc based on the event, host, etc.

0 Karma

dkeck
Influencer

Hi,

I am pretty certain, that splunk can handle one sourcetype for one UDP:Port input.

I think a dedicated syslog server could deal with this though.

0 Karma
Get Updates on the Splunk Community!

Maximize the Value from Microsoft Defender with Splunk

<P style=" text-align: center; "><span class="lia-inline-image-display-wrapper lia-image-align-center" ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

<FONT size="5"><FONT size="5" color="#FF00FF">Get the latest news and updates from the Splunk Community ...