I am attempting to setup the Cisco ESA app and on configuring the inputs.conf file I have [monitor://\mail_logs\mail.@20130712T172736.s] per instructions however, I need to ensure the app is listening to tcp port 514. Where can I set that?
You're actually going to need to configure two different inputs here. 1 is for textmail and http logs. The other is for authentication logs.
http://docs.splunk.com/Documentation/AddOns/latest/CiscoESA/ConfigureCiscoESA
For Textmail and HTTP Logs
I would highly recommend following the app instructions as they're laid out pretty nicely. For setting up Splunk to listen on a specific port, you'll want to use the following document http://docs.splunk.com/Documentation/Splunk/latest/Data/Monitornetworkports#Go_to_the_Add_New_page
For authentication logs
You'll want to use a monitor stanza, but you're going to want to monitor the paths to the files that you are receiving from your ESA administrator. If those are the same as you described above, than that monitor stanza should work.
In a file called inputs.conf in $SPLUNK_HOME/etc/apps/Splunk_TA_cisco-esa/local you'll have something like
[monitor://\authentication.@20130302T122552.s]
sourcetype = cisco:esa:authentication
I am not able to add data inputs via splunkweb on the heavy forwarder. I need to do it via inputs.conf and the user needs to be able to send data via tcp 514 and not udp. Unfortunately the instructions only mention the monitor portion but not if the port is different.
Ah I see, sorry about that.
So your input should be fairly straight forward
[tcp://514]
sourcetype=cisco:esa:http
One thing to note is that if you aren't running Splunk as root, than on many Unix Operating Systems, Splunk won't be able to listen on port 514. You would simply just need to change your input stanza to be a different port and configure your ESA to send to that different port. For example
[tcp://5140]
sourcetype=cisco:esa:http
Thank You for your response. We have other hosts that are going to port 514. I ve put this into inputs.conf
[tcp://hostname:514]
source = \mail_logs\mail.@20130712T172736.s
sourcetype = cisco:esa:textmail
index = ironport
Do you happen to know if this would work to collect logs from a particular host going to 514?
So in the case of [tcp://:514] as an example:
If you specify , the specified port only accepts data from that host.
If you specify nothing for - [udp://] - the port accepts data sent from any host.
For a Heavy Forwarder, usually it's recommended to collect data using something like syslog-ng or rsyslog. You can however setup a tcp or udp input directly using inputs.conf file. See the following Splunk Documentation:
http://docs.splunk.com/Documentation/Splunk/latest/Data/Monitornetworkports
For the location of the monitor then would I place it under source? For ex:
[tcp://:514]
source = \mail_logs\mail.@20130712T172736.s