All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Multiple apps that receive on UDP/514 on a heavy forwarder

mjones414
Contributor
‎06-06-2014 10:27 AM

I'm trying to prevent unnecessary sprawl in our current splunk environment and I want to funnel all udp:514 traffic from systems that cannot change port at point of departure to a heavy forwarder that will load balance across indexers. I'm running into some challenges in doing so based on how different splunk apps treat the port.

Cisco IOS: looks for sourcetype=syslog and transforms and writes the data to the ios index.
Splunk app for Netapp Data OnTAP: needs udp:514's sourcetype to be ontap:syslog

How could I effectively have apps written to use syslog ports differently work together on the same heavy forwarder if they require the default sourcetype to be different at the point of arrival?

0 Karma
Reply

mikaelbje
Motivator
‎06-11-2014 01:44 AM

Hi,

gfreitas' answer is a way to go, or you could set up a Syslog-NG/Rsyslog server for reception of syslog data to file. You then set up a Universal Forwarder to monitor these files and sending them to the indexer.

Both Syslog-NG and Rsyslog can do per host filtering. Another way to go is to use different ports or even different IP addresses by setting up secondary IPs on that server and treating the inputs differently by IP.

My suggestion is normally always to set up a pure syslog server. That way no data is lost when Splunk is restarted due to patching, configuration changes an so on.

0 Karma
Reply

gfreitas
Builder
‎06-07-2014 05:29 AM

Hi mjones414,

Perhaps you can simply filter the events by source IP or hosts in inputs.conf and route that to different sourcetypes. Look the inputs.conf example bellow:

[udp://10.1.0.252:514]
connection_host = ip
source = asa_firewall_headquarters
sourcetype = syslog
index = cisco

[udp://10.1.3.251:514]
connection_host = ip
source = fortigate_firewall_branch
sourcetype = fortigate
index = fortigate

Hope this can help you!

0 Karma
Reply
Get Updates on the Splunk Community!

Dashboards: Hiding charts while search is being executed and other uses for tokens

There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...

Brains, Bytes, and Boston: Learn from the Best at .conf25

When you think of Boston, you might picture colonial charm, world-class universities, or even the crack of a ...