Join the Conversation
- Find Answers
- :
- Apps & Add-ons
- :
- All Apps and Add-ons
- :
- All Apps and Add-ons
- :
- Using Firesight Syslog Alerting to send syslog dat...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Using Firesight Syslog Alerting to send syslog data to a Heavy Forwarder
Hello,
My Firesight logs currently comes into my search head through the sourcetype=syslogs. I would like my Firesight logs to be changed to the default sourcetype for the Splunk_ta_sourcefire app. Currently I have Firesight sending syslogs data to my heavy fwd through the Firesight syslog alerting. There is no universal fwd installed on the Firesight, Firghsight is sending the log to the Heavy Fowarder which send the logs to the indexers. On the Heavy Fowarder I have the Splunk_ta_sourcefire app installed, I also have this app installed on the search head. What would be the best approach to get the sourcetype to change to the app default sourcetype? Do I need to edit the Splunk_ta_Sourcefire input.conf file and add the IP address of the firesight logs?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
On your syslog server set the sourcetype directly inside whatever inputs.conf file ( local directory, not default ) is sending the logs to the indexers.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
a Universal forwarder is not installed on the Firesight host. It sends syslogs directly to the Heavy Forwarder. I'm trying to figue out how I can change the logs Sourcetype on the heavy forwarder. Do I need to edit the inputs.conf file on the Splunk_ta_Sourcefire app? If so what stanza do I put in the inputs.conf file?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The standard way to do this is to dedicate 1 UDP port to a single sourcetype and then write everything that comes in to that port to a partricular directory that determines both the sourcetype and the host (e.g. '/opt/syslog/firewall/1.2.3.4/blah.log'). Then have splunk monitor that directory for files and set the sourcetype and host based on segments in the path. Check what that app expects the sourcetype to be and then configure your syslog server to use that pathname. Then the TA/App should "just work".
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass
May 2026 Splunk Expert Sessions: Security & Observability
Network to App: Observability Unlocked [May & June Series]
