Getting Data In

How to configure different sourcetypes for udp port 514 ?

aeshan
Engager

Hello,

I have configured two network devices (cisco router and fortigate firewall) to send logs to Splunk server via udp port 514 .I can successfully see all the raw logs but particular apps wont show any data because the sourcetype doesnt match.I cant define different sourcetypes to same udp port in "data inputs".How can I overcome this issue ?

1 Solution

treinke
Builder

You can use the following in your inputs.conf

[udp://123.456.789:514]
index = networking
sourcetype = cisco

[udp://123.456.890:514]
index = networking
sourcetype = fortinet
There are no answer without questions

View solution in original post

82padarthi
Explorer

Hi..

Edit the inputs.conf file in $SPLUNK_HOME/etc/apps/app-name/local/inputs.conf or $SPLUNK_HOME/etc/system/local/inputs.conf or $SPLUNK_HOME/etc/apps/search/local/inputs.conf
Note : no need to edit and enter the below configuration in all the input file. any one of the file is fine

[udp://ipaddressofthedevice:514]
index = linux
sourcetype = linuxevents

[udp://ipaddressofthdevice:514]
index = linux
sourcetype = syslog

Ex :
[udp://10.1.1.10:514]
index = linux
sourcetype = linuxevents

[udp://192.168.1.9:514]
index = linux
sourcetype = syslog

amnonh
Explorer

This exactly as stated here, totally worked for us (Splunk 9)
Create the inputs.con file, add stanza as indicated here, no more no less and save the file. In Config Explorer do a debug/refresh and you will see these special inputs appear in the GUI as "[IP]:[PORT]" and data will trickle in to the specified index(es) using the specified sourcetype.

0 Karma

ppablo
Retired

Hi @aeshan

Did Anthony Reinke's or @kml_uvce's answers below solve your question? If yes, please accept the one that did to resolve this post by clicking "Accept" right below the appropriate answer. Thanks!

Patrick

0 Karma

kml_uvce
Builder

you can edit in local directory of app name folder
$SPLUNK_HOME/etc/apps/app-name/local/inputs.conf
or you can directly modify from splunk web
http://docs.splunk.com/Documentation/Splunk/6.2.1/Forwarding/Enableareceiver

0 Karma

jayannah
Builder

whats your splunk topology and source paths?

0 Karma

treinke
Builder

You can use the following in your inputs.conf

[udp://123.456.789:514]
index = networking
sourcetype = cisco

[udp://123.456.890:514]
index = networking
sourcetype = fortinet
There are no answer without questions

jdanij
Path Finder

Up to the config, you cannot define more than one input for the same port:
[udp://:]
* Similar to TCP, except that it listens on a UDP port.
* Only one stanza per port number is currently supported.

However, did it work for any of you??

tiagomiranda
Explorer

Why when I restrict host I don't receive anything?There is some specific configuration?
My firewall and my switch are allow to send logs.

0 Karma

treinke
Builder

are you seeing the packets with tcpdump/wireshark on the Splunk server?

There are no answer without questions
0 Karma

treinke
Builder

you are adding an ip address to limit the input selection. if you added [udp://514] to the inputs.conf file, you are saying any ip address on UDP port 514. This is really more like [udp://*:514] . When you add the ip address in to the stanza, you are narrowing down the parameters. So [udp://123.456.789:514] is saying from this ip on this port, do the following the in the stanza.

There are no answer without questions
0 Karma

aeshan
Engager

Thank you very much for the solution.Can you please specify which inputs.conf file I should edited.I saw there several inputs.conf files in several folders.

0 Karma

treinke
Builder

When you configure the inputs from the website, the inputs.conf file will be in the app folder that you were in before you when in to the inputs section. For example if you were in the Search & Reporting app, current location for your inputs.conf would be in

$SPLUNK_HOME/etc/apps/search/local/inputs.conf

If you are not sure where to store your file with these stanzas, you can use

$SPLUNK_HOME/etc/system/local/inputs.conf
There are no answer without questions
0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...