I am attempting to setup the Cisco ESA app and on configuring the inputs.conf file I have [monitor://\mail_logs\mail.@20130712T172736.s] per instructions however, I need to ensure the app is listening to tcp port 514. Where can I set that?
For a Heavy Forwarder, usually it's recommended to collect data using something like syslog-ng or rsyslog. You can however setup a tcp or udp input directly using inputs.conf file. See the following Splunk Documentation:
You're actually going to need to configure two different inputs here. 1 is for textmail and http logs. The other is for authentication logs.
For Textmail and HTTP Logs
I would highly recommend following the app instructions as they're laid out pretty nicely. For setting up Splunk to listen on a specific port, you'll want to use the following document http://docs.splunk.com/Documentation/Splunk/latest/Data/Monitornetworkports#Go_to_the_Add_New_page
For authentication logs
You'll want to use a monitor stanza, but you're going to want to monitor the paths to the files that you are receiving from your ESA administrator. If those are the same as you described above, than that monitor stanza should work.
In a file called inputs.conf in $SPLUNKHOME/etc/apps/SplunkTA_cisco-esa/local you'll have something like
sourcetype = cisco:esa:authentication
I am not able to add data inputs via splunkweb on the heavy forwarder. I need to do it via inputs.conf and the user needs to be able to send data via tcp 514 and not udp. Unfortunately the instructions only mention the monitor portion but not if the port is different.
Ah I see, sorry about that.
So your input should be fairly straight forward
One thing to note is that if you aren't running Splunk as root, than on many Unix Operating Systems, Splunk won't be able to listen on port 514. You would simply just need to change your input stanza to be a different port and configure your ESA to send to that different port. For example
Thank You for your response. We have other hosts that are going to port 514. I ve put this into inputs.conf
source = \mail_logs\mail.@20130712T172736.s
sourcetype = cisco:esa:textmail
index = ironport
Do you happen to know if this would work to collect logs from a particular host going to 514?
So in the case of [tcp://:514] as an example:
If you specify , the specified port only accepts data from that host.
If you specify nothing for - [udp://] - the port accepts data sent from any host.