Customize inputs.conf Palo Alto - Multiple sources...

wvalente · ‎12-05-2018

Dear,

I configured the inputs.conf of the palo alto app exactly as the documentation.

However, in addition to the palo alto logs, I get other logs via udp: 514. The configuration in inputs.conf is forwarding all logs via 514 to the pan: log sourcetype.

How could I change only the high-pit logs to the sourcetype pan: log?

panguy · ‎12-12-2018

https://answers.splunk.com/answers/205815/how-to-configure-different-sourcetypes-for-udp-por.html

You can use the following in your inputs.conf

[udp://SOURCE_IP:PORT]

martin_mueller · ‎12-06-2018

Three options:

Best: let a dedicated syslog daemon receive the data, write to disk, let a universal forwarder read the log files and assign sourcetypes per file.

Bad: make each source use a distinct port.

Bad: keep all sources at one port, define props/transforms to rewrite source types, index, etc based on the event, host, etc.

dkeck · ‎12-05-2018

Hi,

I am pretty certain, that splunk can handle one sourcetype for one UDP:Port input.

I think a dedicated syslog server could deal with this though.

Customize inputs.conf Palo Alto - Multiple sources udp:514

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

New in Observability Cloud - Explicit Bucket Histograms