I have some questions concerning a Splunk deployment i'm working on, we have a single Splunk instance and we want to forward all the logs from network equipment to it directly.
Can we send all the data to UDP/514 while defining multiple sourcetypes, since the default syslog port cannot be changed in some devices.
is it possible to set multiple listeners with the same port somthing along "host::port"
"host_ip_1:514"
"host_ip_2:514"
.
.
etc.
We're afraid that if we just open the UDP/514 and dump all the data with only one sourcetype defined (syslog), it'll be harder to manage the data and integrate it with some Splunk Apps that require specific sourcetypes.
what would you suggest?
Excuse the rookie question, i'm new to splunk.
Hi foufoumad,
you have to ingest all sources with a sourcetype (e.g. syslog) then override the sourcetype based on regex.
The main job is to identify a regex for each kind of source.
For more information see at https://docs.splunk.com/Documentation/Splunk/latest/Data/Advancedsourcetypeoverrides
In few words:
on props.conf
[syslog]
TRANSFORMS-changesourcetype_source1 = set_sourcetype_1
TRANSFORMS-changesourcetype_source2 = set_sourcetype_2
on transforms.conf
[set_sourcetype_1]
REGEX = your_regex1
FORMAT = sourcetype::your_new_sourcetype_1
DEST_KEY = MetaData:Sourcetype
[set_sourcetype_2]
REGEX = your_regex2
FORMAT = sourcetype::your_new_sourcetype_2
DEST_KEY = MetaData:Sourcetype
Bye.
Giuseppe
Don't use Splunk for Syslog network ports. Send syslog to a syslog receiver and pick it up with a universal forwarder.