In my indexers inputs.conf we have the standard stanza in place for receiving inbound logs from forwarders.
[splunktcp://9997]
disabled = 0
Am I able to add additional stanza(s) to the inputs.conf so I can properly identify and index logs that are being sent via syslog to the indexer (due to the logs belonging to SaaS or an appliance and can't have a forwarder installed)
i.e.
[tcp://10.1.1.1:9997]
index=windows
source=10.1.1.1
Thanks
Hi @lhanich1,
you, can add all the input stanzas you want, there's only the limitation that via GUI you cannot use the same port for more stanzas, but you can do it by conf file.
You can configure different ways to differentiate logs:
The important thing is to recognize sourcetype to correctly configure knowledge objects (fields, tags, etc...)
Only one Hint (if possible) if you have a distributed architecture (more Indexers, more Search Heads, etc...), in other words, if you haven't an All-In-One server, don' use Indexer to ingest syslogs, because during Indexers maintenance, you lose your syslogs.
The better architecture to ingest syslogs is to have two Heavy Forwarders (Full Splunk Enterprise instances that forward all the logs to Indexers) and a Load Balancer that manage load balancing and fail over (if you haven't a Load balancer, you can also use DNS for this): in this way you're sure to ingest syslogs also during Indexers maintenance or fail over.
Ciao.
Giuseppe
Hi @lhanich1,
you, can add all the input stanzas you want, there's only the limitation that via GUI you cannot use the same port for more stanzas, but you can do it by conf file.
You can configure different ways to differentiate logs:
The important thing is to recognize sourcetype to correctly configure knowledge objects (fields, tags, etc...)
Only one Hint (if possible) if you have a distributed architecture (more Indexers, more Search Heads, etc...), in other words, if you haven't an All-In-One server, don' use Indexer to ingest syslogs, because during Indexers maintenance, you lose your syslogs.
The better architecture to ingest syslogs is to have two Heavy Forwarders (Full Splunk Enterprise instances that forward all the logs to Indexers) and a Load Balancer that manage load balancing and fail over (if you haven't a Load balancer, you can also use DNS for this): in this way you're sure to ingest syslogs also during Indexers maintenance or fail over.
Ciao.
Giuseppe
My main concern is affecting the
[splunktcp://9997]
disabled = 0
My instincts suggests my initial question would work