Hello,
I'm new to splunk and I'd like to use this app with a file as data input and not a port on the splunk server. I'm already running an instance of rsyslog and I don't want splunk to retrieve log directly. How can I do this (if possible)?
Simon
You can add your files that rsyslog is storing to a "monitor://" stanza in $SPLUNK_HOME/etc/system/local/inputs.conf, just use the same sourcetype as the Cisco Firewall app is expecting. This would look something like:
[monitor:///var/log/firewalls]
sourcetype=cisco_firewall