All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Symantec Data Loss Prevention (DLP): How to specify a certain index for events from a Syslog host?

pickerin
Path Finder
‎08-18-2015 11:18 AM

Newcomer to Splunk, just took the "Using Splunk" course and trying to learn how all of the pieces fit together.

I installed the Symantec DLP application, and set it up according to the documentation. It uses syslog to send events (incidents) into Splunk. I just got a couple of Events to show up in Splunk, so that's exciting!

However, it appears that the App is only looking for them in a "dlp" index. These events are coming into my "main" index. How do I map that all events logged via this host should go into a "dlp" index?

Thanks!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

pickerin
Path Finder
‎10-02-2015 05:09 AM

Answer: The only solution if you wish to send the data directly to the indexer is to do so on a custom port, so you can specific a unique index and sourcetype.

Solution: I moved the logs to the syslog aggregator, where I could monitor the path and provide a unique index and sourcetype, then that host is a universal forwarder to the index. Works great (but requires two systems).

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

pickerin
Path Finder
‎10-02-2015 05:09 AM

Answer: The only solution if you wish to send the data directly to the indexer is to do so on a custom port, so you can specific a unique index and sourcetype.

Solution: I moved the logs to the syslog aggregator, where I could monitor the path and provide a unique index and sourcetype, then that host is a universal forwarder to the index. Works great (but requires two systems).

0 Karma
Reply
Solved! Jump to solution

shandman
Path Finder
‎08-18-2015 11:28 AM

Welcome to Splunk! Good question..

You can find what you are looking for here.
http://answers.splunk.com/answers/1090/how-do-i-forward-data-to-a-specific-index.html

0 Karma
Reply
Solved! Jump to solution

pickerin
Path Finder
‎08-18-2015 02:11 PM

This is a great solution if you have a forwarder that you're using.
Unfortunately, I have an appliance that is sending syslog data on UDP 514 to the Indexer.
So, I'm looking for a solution that can be implemented on the Indexer only.

I guess I could create a custom index that listens on and accepts syslog from a unique port, then assign that port the index, but I was hoping for something a little more straightforward (as that solution also requires changing firewalls to open up additional ports).

I was hoping that I could just map the hostname to a specific index, as that hostname is never forwarding anything for a different index.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...