My Firesight logs currently comes into my search head through the sourcetype=syslogs. I would like my Firesight logs to be changed to the default sourcetype for the Splunk_ta_sourcefire app. Currently I have Firesight sending syslogs data to my heavy fwd through the Firesight syslog alerting. There is no universal fwd installed on the Firesight, Firghsight is sending the log to the Heavy Fowarder which send the logs to the indexers. On the Heavy Fowarder I have the Splunk_ta_sourcefire app installed, I also have this app installed on the search head. What would be the best approach to get the sourcetype to change to the app default sourcetype? Do I need to edit the Splunk_ta_Sourcefire input.conf file and add the IP address of the firesight logs?
a Universal forwarder is not installed on the Firesight host. It sends syslogs directly to the Heavy Forwarder. I'm trying to figue out how I can change the logs Sourcetype on the heavy forwarder. Do I need to edit the inputs.conf file on the Splunk_ta_Sourcefire app? If so what stanza do I put in the inputs.conf file?
The standard way to do this is to dedicate 1 UDP port to a single sourcetype and then write everything that comes in to that port to a partricular directory that determines both the sourcetype and the host (e.g. '/opt/syslog/firewall/126.96.36.199/blah.log'). Then have splunk monitor that directory for files and set the sourcetype and host based on segments in the path. Check what that app expects the sourcetype to be and then configure your syslog server to use that pathname. Then the TA/App should "just work".