My Firesight logs currently comes into my search head through the sourcetype=syslogs. I would like my Firesight logs to be changed to the default sourcetype for the Splunktasourcefire app. Currently I have Firesight sending syslogs data to my heavy fwd through the Firesight syslog alerting. There is no universal fwd installed on the Firesight, Firghsight is sending the log to the Heavy Fowarder which send the logs to the indexers. On the Heavy Fowarder I have the Splunktasourcefire app installed, I also have this app installed on the search head. What would be the best approach to get the sourcetype to change to the app default sourcetype? Do I need to edit the SplunktaSourcefire input.conf file and add the IP address of the firesight logs?
On your syslog server set the sourcetype directly inside whatever
inputs.conf file (
local directory, not
default ) is sending the logs to the indexers.
a Universal forwarder is not installed on the Firesight host. It sends syslogs directly to the Heavy Forwarder. I'm trying to figue out how I can change the logs Sourcetype on the heavy forwarder. Do I need to edit the inputs.conf file on the SplunktaSourcefire app? If so what stanza do I put in the inputs.conf file?
The standard way to do this is to dedicate 1 UDP port to a single sourcetype and then write everything that comes in to that port to a partricular directory that determines both the sourcetype and the host (e.g. '/opt/syslog/firewall/220.127.116.11/blah.log'). Then have splunk
monitor that directory for files and set the sourcetype and host based on segments in the path. Check what that app expects the sourcetype to be and then configure your syslog server to use that pathname. Then the TA/App should "just work".