I just installed docker and the Splunk Connect for Syslog app(?). I configured the env_file to point to my http event collector and have configured the indices, and have received the test events.
How do I actually configure listening on a port? the documentation here: https://splunk-connect-for-syslog.readthedocs.io/en/master/configuration/ says:
Other than device filter creation, SC4S is almost entirely controlled by environment variables. Here are the categories and variables needed to properly configure SC4S for your environment.
Where do I configure these environmental variables? Perhaps /opt/sc4s/local/config, but like what file type, what schema? I mean, I can read, the key/value pair isSC4S_LISTEN_DEFAULT_TLS_PORT=whatever. but where do I put that?
I was trying to set up receiving of firewall logs from pfsense, the documentation for it says:
Review and update the splunk_metadata.csv file and set the index and sourcetype as required for the data source. So maybe this is this the answer, I should create a csv? that doesn't sound right.
Probably if I knew Docker I would know the answer to all these questions. but if anyone could educate me on how to use this, show me some example configurations and show me the filepaths they are located in, I would be deeply appreciative.
<edit>
Nevermind, I found it. The answer is, most things are configured in /opt/sc4s/env_file. indexes and sourcetypes are configured in /opt/sc4s/local/context/splunk_metadata.csv.
in the spirit of intellectual honesty, it was in the docs in a couple places, namely the Getting Started section in the os and container specific section, although not in ALL of them. If I may make a request to the app developers. I think adding the two paragraph below to the Quickstart Guide would have helped, i think it is an intuitive place to look for people that missed it the first time.
Dedicated (Unique) Listening Ports
For certain source technologies, categorization by message content is impossible due to the lack of a unique “fingerprint” in the data. In other cases, a unique listening port is required for certain devices due to network requirements in the enterprise. For collection of such sources, we provide a means of dedicating a unique listening port to a specific source.
Follow this step to configure unique ports for one or more sources:
Modify index destinations for Splunk
Log paths are preconfigured to utilize a convention of index destinations that are suitable for most customers.