All Apps and Add-ons

Symantec Data Loss Prevention (DLP): How to specify a certain index for events from a Syslog host?

pickerin
Path Finder

Newcomer to Splunk, just took the "Using Splunk" course and trying to learn how all of the pieces fit together.

I installed the Symantec DLP application, and set it up according to the documentation. It uses syslog to send events (incidents) into Splunk. I just got a couple of Events to show up in Splunk, so that's exciting!

However, it appears that the App is only looking for them in a "dlp" index. These events are coming into my "main" index. How do I map that all events logged via this host should go into a "dlp" index?

Thanks!

0 Karma
1 Solution

pickerin
Path Finder

Answer: The only solution if you wish to send the data directly to the indexer is to do so on a custom port, so you can specific a unique index and sourcetype.

Solution: I moved the logs to the syslog aggregator, where I could monitor the path and provide a unique index and sourcetype, then that host is a universal forwarder to the index. Works great (but requires two systems).

View solution in original post

0 Karma

pickerin
Path Finder

Answer: The only solution if you wish to send the data directly to the indexer is to do so on a custom port, so you can specific a unique index and sourcetype.

Solution: I moved the logs to the syslog aggregator, where I could monitor the path and provide a unique index and sourcetype, then that host is a universal forwarder to the index. Works great (but requires two systems).

0 Karma

shandman
Path Finder

Welcome to Splunk! Good question..

You can find what you are looking for here.
http://answers.splunk.com/answers/1090/how-do-i-forward-data-to-a-specific-index.html

0 Karma

pickerin
Path Finder

This is a great solution if you have a forwarder that you're using.
Unfortunately, I have an appliance that is sending syslog data on UDP 514 to the Indexer.
So, I'm looking for a solution that can be implemented on the Indexer only.

I guess I could create a custom index that listens on and accepts syslog from a unique port, then assign that port the index, but I was hoping for something a little more straightforward (as that solution also requires changing firewalls to open up additional ports).

I was hoping that I could just map the hostname to a specific index, as that hostname is never forwarding anything for a different index.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...