Hello. First time I'm posting a question, and a relative newb to Splunk so I apologize up front if this has already been asked and answered, or if this is a silly question.
Currently running latest Splunk on Windows server. I have configured a new data input for Syslog on TCP 514, and have configured the input to receive asm_log files from the F5 device in our environment and this is working just fine.
I would now like to add our RSA Security Management as a second source of Syslog data, but I cannot figure out how to add it to the existing Data Input. If I try to add it through the Web interface, I get the error message that the port is already being used (not a big surprise there).
So can anyone tell me where I am going wrong? Is there a better way to go about receiving data from multiple Syslog sources? Any help would be greatly appreciated, as I am really liking Splunk and this is the first significant problem I have encountered.
I would second MuS' approach. However my recommendation is if this is going to move into a production state I'd stand up a Linux server to receive syslog data and put a Splunk agent on it to read the output. This gives you some resiliency to hand Splunk restarts/downtime.