Dear Experts,
I am trying to add the data to monitor Cisco logs through Splunk, i am just able to add 1 device only, it is giving error when i am adding more devices.
Snapshot of the error is shown below.
Any help regarding this will be appreciated.
Will be thankful if there is any help regarding this
Hello there. Consider using Splunk Connect for Syslog. It is a tool that will allow very easy implementation of datasources like Cisco through syslog-ng. It will ultimately write to HTTP Event Collector in Splunk.
See this link for additional information. I hope this helps because I have been having great success with this tool!
Thanks, have to check it.
It would help if you explained the steps to reproduce this problem, but I suspect you are doing at least two things wrong:
1) Trying to send syslog events directly to Splunk. This has been discouraged for a few years because it can lead to data loss. Best Practice is to send syslog events to a dedicated syslog server and forward them from there to Splunk.
2) Assuming there is a one-to-one relationship between a UDP port and a network device. This is not the case. Once Splunk is listening to a port, it will accept data from thousands of devices, provided they match the "Only accept connection from" setting.
It can be reproduce by doing the following,
Add Data > Monitor > TCP/UDP > then mention the port udp/514 and add any IP address in Only accept connection from field.
It is just accepting one device, and when i am trying to add another device, it is showing an error, as was mentioned in the snap in my last post.
Did you read point #2 in my answer? It doesn't make sense to add the same port multiple times. Once Splunk is listening to a port there is no need to tell it to do so again.
Please describe the problem you are trying to solve. What is it that adding another port 514 input will do for you?