All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Multiple apps that receive on UDP/514 on a heavy forwarder

mjones414
Contributor
‎06-06-2014 10:27 AM

I'm trying to prevent unnecessary sprawl in our current splunk environment and I want to funnel all udp:514 traffic from systems that cannot change port at point of departure to a heavy forwarder that will load balance across indexers. I'm running into some challenges in doing so based on how different splunk apps treat the port.

Cisco IOS: looks for sourcetype=syslog and transforms and writes the data to the ios index.
Splunk app for Netapp Data OnTAP: needs udp:514's sourcetype to be ontap:syslog

How could I effectively have apps written to use syslog ports differently work together on the same heavy forwarder if they require the default sourcetype to be different at the point of arrival?

0 Karma
Reply

mikaelbje
Motivator
‎06-11-2014 01:44 AM

Hi,

gfreitas' answer is a way to go, or you could set up a Syslog-NG/Rsyslog server for reception of syslog data to file. You then set up a Universal Forwarder to monitor these files and sending them to the indexer.

Both Syslog-NG and Rsyslog can do per host filtering. Another way to go is to use different ports or even different IP addresses by setting up secondary IPs on that server and treating the inputs differently by IP.

My suggestion is normally always to set up a pure syslog server. That way no data is lost when Splunk is restarted due to patching, configuration changes an so on.

0 Karma
Reply

gfreitas
Builder
‎06-07-2014 05:29 AM

Hi mjones414,

Perhaps you can simply filter the events by source IP or hosts in inputs.conf and route that to different sourcetypes. Look the inputs.conf example bellow:

[udp://10.1.0.252:514]
connection_host = ip
source = asa_firewall_headquarters
sourcetype = syslog
index = cisco

[udp://10.1.3.251:514]
connection_host = ip
source = fortigate_firewall_branch
sourcetype = fortigate
index = fortigate

Hope this can help you!

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Thanks for the Memories! Splunk University, .conf25, and our Community

Thank you to everyone in the Splunk Community who joined us for .conf25, which kicked off with our iconic ...

Data Persistence in the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. What happens if the OpenTelemetry collector ...

Introducing Splunk 10.0: Smarter, Faster, and More Powerful Than Ever

Now On Demand Whether you're managing complex deployments or looking to future-proof your data ...