All Apps and Add-ons

Symantec Data Loss Prevention (DLP): How to specify a certain index for events from a Syslog host?

pickerin
Path Finder

Newcomer to Splunk, just took the "Using Splunk" course and trying to learn how all of the pieces fit together.

I installed the Symantec DLP application, and set it up according to the documentation. It uses syslog to send events (incidents) into Splunk. I just got a couple of Events to show up in Splunk, so that's exciting!

However, it appears that the App is only looking for them in a "dlp" index. These events are coming into my "main" index. How do I map that all events logged via this host should go into a "dlp" index?

Thanks!

0 Karma
1 Solution

pickerin
Path Finder

Answer: The only solution if you wish to send the data directly to the indexer is to do so on a custom port, so you can specific a unique index and sourcetype.

Solution: I moved the logs to the syslog aggregator, where I could monitor the path and provide a unique index and sourcetype, then that host is a universal forwarder to the index. Works great (but requires two systems).

View solution in original post

0 Karma

pickerin
Path Finder

Answer: The only solution if you wish to send the data directly to the indexer is to do so on a custom port, so you can specific a unique index and sourcetype.

Solution: I moved the logs to the syslog aggregator, where I could monitor the path and provide a unique index and sourcetype, then that host is a universal forwarder to the index. Works great (but requires two systems).

0 Karma

shandman
Path Finder

Welcome to Splunk! Good question..

You can find what you are looking for here.
http://answers.splunk.com/answers/1090/how-do-i-forward-data-to-a-specific-index.html

0 Karma

pickerin
Path Finder

This is a great solution if you have a forwarder that you're using.
Unfortunately, I have an appliance that is sending syslog data on UDP 514 to the Indexer.
So, I'm looking for a solution that can be implemented on the Indexer only.

I guess I could create a custom index that listens on and accepts syslog from a unique port, then assign that port the index, but I was hoping for something a little more straightforward (as that solution also requires changing firewalls to open up additional ports).

I was hoping that I could just map the hostname to a specific index, as that hostname is never forwarding anything for a different index.

0 Karma
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Get the T-shirt to Prove You Survived Splunk University Bootcamp

As if Splunk University, in Las Vegas, in-person, with three days of bootcamps and labs weren’t enough, now ...

Wondering How to Build Resiliency in the Cloud?

IT leaders are choosing Splunk Cloud as an ideal cloud transformation platform to drive business resilience,  ...